COMMAND

    StarScheduler

SYSTEMS AFFECTED

    StarScheduler/StarOffice 5.1

PROBLEM

    Following is based on S.A.F.E.R. Security Bulletin 000309.EXP.1.4.
    StarOffice   comes   with   a   nice   groupware   server,  called
    StarScheduler.  It also includes  a web server that is  vulnerable
    to several security problems.

    A buffer overflow  exists in the  StarScheduler web server  (which
    listens on port  801), that can  lead to remote  execution of code
    and root access.  Since the server dies, this is also a DoS issue.
    The problem is in the way web server handles long requests.

    Sending a "GET /['A' x 933] HTTP/1.0" will crash the server.  This
    web server is running as a root.  Another silly problem exists  in
    the server that allows  any user to gain  read access to files  to
    which they normally don't have access to.  Example:

        http://starscheduler_server:801/../../../../etc/shadow

    This will display the content of the /etc/shadow file.

SOLUTION

    No  fixes  are  available  yet.  Sun  has been contacted on 6th of
    February, but no response from them.