COMMAND

    Groupewise Web Interface

SYSTEMS AFFECTED

    Novell GroupWise 5.2 and 5.5

PROBLEM

    Sacha  Faust  Bourque  found  problems  with GroupeWise web server
    (Novell was contacted):

        1. The help argument in GWWEB.EXE reveal full web path on  the
           server
        2. anyone  can  read  a  .htm  file  on  the  system with  the
           GWWEB.EXE and the HELP argument.

    Examples.

    1. Full web server path
    =========================
    By sending

        http://server/cgi-bin/GW5/GWWEB.EXE?HELP=bad-request

    the server will reply

        Could not find file SYS:WEB\CGI-BIN\GW5\US\HTML3\HELP\BAD-REQUEST.HTM

    2. Read any .htm file
    =====================
    By sending

        http://server/cgi-bin/GW5/GWWEB.EXE?HELP=../../../../../index

    (refering to the path returned in the previous example).  You will
    see the main web site interface.

    Author did some intensive test with the HELP trying to get rid  of
    the .htm  that it  happens and  we were  unable to  get rid of it.
    This was tested on GroupWise 5.2 and 5.5.

    This vulnerability exists on the Enterprise Web Server.

SOLUTION

    - Change extension to .shtml  - these are not shown.
    - For each Web page, have two separate pages with the same name  -
      one with .htm extension and  one with .html extension. Use  .htm
      for the pages  with real content.  When two pages  with the same
      name, but these  different extensions exist,  this vulnerability
      will show .html instead of .htm.
    - Turn off WebAccess until Novell fixes it.
    - Possible  (recommended) solution:  Use separate  server for  Web
      pages  and  GroupWise  WebAccess.   Apache  seems  to  be a good
      choice...  haven't seen it for NetWare though.

    Note  that  this  DOES  show  pages  that  are  in  areas normally
    requiring authentication,  without requiring  such authentication,
    therefore  making  it  a  security  risk. Relative-path links from
    this page  will be  broken; absolute  paths will  (of course) work
    normally.  If you  don't have any areas  of the site that  require
    authentication, this problem doesn't matter.

    The solution (using the Admin Server GUI) is to select the  server
    you want  to modify  from the  admin server  list, choose "Content
    Management" from the title bar, then select "Document Preferences"
    from the sidebar menu.  If you set "Directory Indexing" to "None",
    Netscape will not  list contents of  the directory if  there is no
    document specified in  a directory and  no file matches  the index
    filename spec from  that same "Document  Preferences" page.   This
    seems  to  work  just  fine  for  Netscape Enterprise Server 3.5.1
    running  on   NT.   If   anything,  this   is  a   common  default
    configuration problem  for products  based on  Netscape Enterprise
    and FastTrack Server, whether ported by Netscape or other vendors.

    Novell is not supporting its old web server product for Y2K, while
    the Netscape Enterprise Server for NetWare 4 & 5 is available  for
    free from Novell at:

        http://www.novell.com/download/

    while it is official that  Novell has retired all versions  of the
    NetWare Web Server  and all version  of GroupWise WebAccess  prior
    to 5.5 and discontinued support since 7/31/99 per the following:

        http://support.novell.com/lifecycle/eoltable.htm