SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   GetAccess Vendors:   Entrust
(Entrust Issues Fix) Re: Entrust GetAccess Input Validation Flaw Lets Remote Users Obtain Files from the Server
SecurityTracker Alert ID:  1002701
SecurityTracker URL:  http://securitytracker.com/id/1002701
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 5 2001
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   An input validation was reported in Entrust's GetAccess single sign-on software. Remote users can obtain files from the server.

It is reported that a remote user can read files on the server that are readable by the GetAccess server. This is possible because GetAccess apparently uses default shellscripts to start Java classes for the GetAccess web applications.

An HTTP request for the following URL can be used to retrieve FILE/PATH:

http://getAccessHostname/sek-bin/helpwin.gas.bat?

with the following parameters:
mode=
&draw=x
&file=x
&module=
&locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
&chapter=

The vendor has been notified.
Impact:   A remote user can read files on the server that are readable by the GetAccess service.
Solution:   A patch is reportedly available on the GetAccess support extranet at:

https://login.encommerce.com/private/docs/techSupport/Patches-BugFix
Vendor URL:  www.entrust.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   UNIX (Solaris - SunOS), Windows (NT)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 5 2001 Entrust GetAccess Input Validation Flaw Lets Remote Users Obtain Files from the Server


 Source Message Contents
Date:  Mon, 5 Nov 2001 09:23:56 -0500
Subject:  Entrust Bulletin E01-005: GetAccess Access Service vulnerability


Entrust Security Bulletin E01-005
=================================

Entrust GetAccess(tm) Access Service Vulnerability


SUMMARY:
========

A vulnerability has been identified in Entrust GetAccess that could allow
unauthorized retrieval of files on certain GetAccess web servers. Entrust
recommends installation of the patch described below, which addresses this
vulnerability.

Impact of vulnerability: 

This vulnerability could potentially result in the unauthorized retrieval of
some files hosted on impacted web servers. Servers running the GetAccess
Access Service are impacted; others running GetAccess runtimes and other
services are not. Typical customer deployments store sensitive content on
GetAccess runtime servers, therefore reducing the impact of this
vulnerability. 

Solution:

Entrust has a made a patch available on the GetAccess support extranet at
the location listed below. A workaround also exists, described below.

Affected Configurations:

- Versions: Entrust GetAccess, all versions
- Platforms: All
- Services: Entrust GetAccess Access Service


TECHNICAL DETAILS:
==================

GetAccess provides a localization mechanism that allows its HTML pages (used
for logout sequences, error messages, timeout messages, and the like) to be
localized using different language-specific templates.  This mechanism takes
in as an argument a query string name-value pair of the format
"LOCALE=XX_XX", where XX_XX corresponds to the name of the sub-directory
within the GetAccess directory structure that contains the appropriate HTML
templates.  GetAccess uses this information to build the directory path and
select the appropriate files.

The vulnerability arises if a user manually substitutes an arbitrary
directory path for the XX_XX value.  The localization mechanism is
vulnerable in the following GetAccess Access Service capabilities:

- The process which drives localized user help during login (if the user 
  clicks the "Help" link on a login screen)
- The process which drives the "About" screen that drives GetAccess 
  version information.

All other GetAccess processes that support the localization mechanism do not
contain this vulnerability.


MITIGATING FACTORS:
===================

- The only files that are potentially exposed are the ones that the web 
  server has permission to access.
- This vulnerability is limited to file retrieval only.  It is not 
  possible to exploit this vulnerability to upload files/data or to execute 
  arbitrary code on the web server.
- Only files on the Access Service machine(s) are potentially at risk of 
  exposure.  The most common deployment architecture segregates the Access 
  Service from web servers hosting any sensitive application data.


PATCH AVAILABILITY:
===================

A patch is available now on the GetAccess support extranet at the following
address: 
https://login.encommerce.com/private/docs/techSupport/Patches-BugFix


WORK-AROUNDS:
=============

If the patch above is applied, the following work-arounds are not required.

- The following files can be removed from GetAccess Access Service hosts, 
  eliminating the vulnerability. Note that the patch above corrects the 
  vulnerability in these scripts and eliminates the need to delete the 
  scripts.
     
     helpwin.gas.bat: this script is referenced by the "Help" link on 
     GetAccess login screens. These links could be replaced with 
     alternative HTML help pages not driven by the GetAccess help script.

     AboutBox.gas.bat: This script drives the "About" box that displays 
     GetAccess version information. 

- As part of normal security policy, customers should not store sensitive 
  data on GetAccess Access Service hosts.  Web servers hosting such data 
  should be secured using the GetAccess Runtime, which is not affected 
  by this vulnerability.  Almost all Entrust GetAccess customers choose 
  to deploy in this sort of configuration even in the absence of this 
  vulnerability.

- If the Access Service component is co-located on a web server hosting 
  sensitive files, the Access Service can be segregated to a dedicated 
  server in order to minimize the potential exposure.  

- File permissions should be set such that all files not explicitly needed 
  by the web server are inaccessible to the user account under which the web

  server runs (in keeping with industry best practice).

- Impacted Components: Only GetAccess servers running the Access Service 
  component are affected.   Web servers hosting secure content protected 
  by the GetAccess Runtime are not affected.


SUPPORT:
========

Entrust customer support, including after hours service is available by
phone as follows:

North America:  1-877-754-7878
Elsewhere: +1-613-270-3700


ACKNOWLEDGMENT:
=============== 

Entrust acknowledges the assistance of Rudi Carell, who worked with us to
eliminate this vulnerability.


Copyright (c) 2001 Entrust Inc.


security@entrust.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC