COMMAND

    NetWare Enterprise Web Server

SYSTEMS AFFECTED

    Novell NetWare 5.x with NetWare Enterprise Web Server 5.1 and GroupWise WebAccess 5.5

PROBLEM

    Following is based on a  Nomad Mobile Research Centre Advisory  by
    Adept and  Simple Nomad.   The NetWare  Enterprise Web  Server 5.1
    has a couple of security problems, and these problems are  related
    to additional products being used, such as GroupWise WebAccess.

    Testing was done with the following configuration:
    - Novell Netware 5.x, latest Service Pack
    - GroupWise WebAccess, latest versions

    Issue #1 - Information Leak
    ===========================
    When NDS browsing  via the web  server is enabled,  if an attacker
    can reach  that server's  port 80  they can  enumerate information
    such as user names, group names, and other system information.

    The default location for gaining this information is

        http://server/lcgi/ndsobj.nlm

    which if NDS browsing is enabled will allow the enumeration.

    This  is  not  especially  a  GroupWise problem, but WebAccess can
    "intensify" the leakage, as it allows for more objects to  browse.
    This is simply a new flavor on an old problem.

    Issue #2 - Directory Listing
    ============================
    Poor handling of GET  commands will allow for  GroupWise WebAccess
    servers  to  display  indexes  of  the directories instead of HTML
    files.  We have been unable to get this to work consistently.

    Basically,  instead  of  issuing  a  "GET  / HTTP/1.1" from NetCat
    against  port  80  on  the  target  system, using "get / http/1.1"
    causes  a  directory  listing  to  be  displayed  if  indexing  of
    directories  is  allowed,  instead  of  a  501  or  502 error when
    indexing of directories is disallowed.

SOLUTION

    No idea if this is what the Groupwise Padlock:

        http://www.novell.com/padlock
        http://oliver.efri.hr/~crv/security/bugs/Others/gwise3.html

    thing is about, since Novell is not only vague in the issues,  but
    never acknowledged Adept's findings.

    The  NDS  browser  is  disabled  by  default,  which  is good.  If
    enabled,  you  can  disable  it  by performing the following steps
    from the WEBMGR utility:
      1. Click File.
      2. Click Select Server and select the appropriate server.
      3. Select the \WEB directory on the drive that is mapped to  the
         server and click OK.
      4. Uncheck the Enable NDS browsing check box and click OK.
      5. Click Save and Restart.
      6. Enter the Web Server password and click OK.

    Alternately you can remove [Public]  read access from the root  of
    the  NDS  tree(s),  which  will  keep everyone, including internal
    non-authenticated users from browsing your internal tree.

    Awaiting   an   official    response   from   Novell,    including
    acknowledgement of the problem.   They were notified a few  months
    ago.