Novell iChain Has Multiple Bugs That Let Remote Users Bypass ACLs, Deny Service, and Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1011074
|
|
SecurityTracker URL: http://securitytracker.com/id?1011074
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 26 2004
|
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.3
|
Description: Several vulnerabilities were reported in Novell iChain. A remote user may be able to bypass access controls. A remote user can cause denial of service conditions. A remote user can conduct cross-site scripting attacks.
Novell reported that there is a security vulnerability in ACLCHECK. A remote user can supply a long UTF-8 encoded string containing
escape sequences to bypass access control rules.
A remote user can conduct cross-site scripting attacks to cause arbitrary scripting
code to be executed by the target user's browser. The code will originate from the site running the iChain software and will run
in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
A remote user can supply a specially crafted URL containing a specific string
to cause denial of service conditions on the target system.
A remote user can determine the specific iChain build version by
examining the via header.
|
Impact: A remote user may be able to bypass access controls.
A remote user can cause denial of service conditions.
A remote user can
determine the build version number.
A remote user can access the target user's cookies (including authentication cookies), if
any, associated with the site running the iChain software, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.
|
Solution: Novell has issued a fix (2.3 Support Pack 1 Beta 1 version 2.3.252), available at:
http://support.novell.com/servlet/filedownload/sec/ftf/b1ic23sp1.exe
The
fix is described at:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969621.htm
|
Vendor URL: support.novell.com/cgi-bin/search/searchtid.cgi?/2969621.htm (Links to External Site)
|
Cause: Access control error, Input validation error
|
|
Message History:
None.
|
Source Message Contents
|
Date: Aug 26, 2004
Subject: iChain 2.3 Support Pack 1 Beta 1 - TID2969621
|
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969621.htm
> iChain 2.3 Support Pack 1 Beta 1 - TID2969621 (last modified 24AUG2004)
> iChain 2.3 Support Pack 1 Beta 1 version 2.3.252
> 1) ACLCHECK Security hole with overlong UTF-8 encoding where access control
> rules could be bypassed using escape sequences.
> 2) Cross-site scripting (XSS) vulnerability where login credentials could
> have been sent to another host.
> 3) DoS attack on iChain server when URL contains specific string.
> 4) Security concern with VIA header and the displaying of the iChain build
> version. Added "viaheaderbuildversion=" option to /etc/proxy/proxy.cfg to
> modify the build version sent in the VIA header.
> Example: Add the following to the proxy.cfg file:
>
> [HTTP Headers]
> viaheaderbuildversion=2.3
>
> This will show up as (iChain 2.3) in the via header. Otherwise it will
> show up with the standard build version such as (iChain 2.2.252).
http://support.novell.com/servlet/filedownload/sec/ftf/b1ic23sp1.exe
|
|
