(Entrust Issues Fix) Re: Entrust GetAccess Input Validation Flaw Lets Remote Users Obtain Files from the Server
SecurityTracker Alert ID: 1002701|
SecurityTracker URL: http://securitytracker.com/id/1002701
(Links to External Site)
Date: Nov 5 2001
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
An input validation was reported in Entrust's GetAccess single sign-on software. Remote users can obtain files from the server.|
It is reported that a remote user can read files on the server that are readable by the GetAccess server. This is possible because GetAccess apparently uses default shellscripts to start Java classes for the GetAccess web applications.
An HTTP request for the following URL can be used to retrieve FILE/PATH:
with the following parameters:
&locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
The vendor has been notified.
A remote user can read files on the server that are readable by the GetAccess service.|
A patch is reportedly available on the GetAccess support extranet at:|
Vendor URL: www.entrust.com/ (Links to External Site)
Input validation error|
UNIX (Solaris - SunOS), Windows (NT)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Mon, 5 Nov 2001 09:23:56 -0500|
Subject: Entrust Bulletin E01-005: GetAccess Access Service vulnerability
Entrust Security Bulletin E01-005
Entrust GetAccess(tm) Access Service Vulnerability
A vulnerability has been identified in Entrust GetAccess that could allow
unauthorized retrieval of files on certain GetAccess web servers. Entrust
recommends installation of the patch described below, which addresses this
Impact of vulnerability:
This vulnerability could potentially result in the unauthorized retrieval of
some files hosted on impacted web servers. Servers running the GetAccess
Access Service are impacted; others running GetAccess runtimes and other
services are not. Typical customer deployments store sensitive content on
GetAccess runtime servers, therefore reducing the impact of this
Entrust has a made a patch available on the GetAccess support extranet at
the location listed below. A workaround also exists, described below.
- Versions: Entrust GetAccess, all versions
- Platforms: All
- Services: Entrust GetAccess Access Service
GetAccess provides a localization mechanism that allows its HTML pages (used
for logout sequences, error messages, timeout messages, and the like) to be
localized using different language-specific templates. This mechanism takes
in as an argument a query string name-value pair of the format
"LOCALE=XX_XX", where XX_XX corresponds to the name of the sub-directory
within the GetAccess directory structure that contains the appropriate HTML
templates. GetAccess uses this information to build the directory path and
select the appropriate files.
The vulnerability arises if a user manually substitutes an arbitrary
directory path for the XX_XX value. The localization mechanism is
vulnerable in the following GetAccess Access Service capabilities:
- The process which drives localized user help during login (if the user
clicks the "Help" link on a login screen)
- The process which drives the "About" screen that drives GetAccess
All other GetAccess processes that support the localization mechanism do not
contain this vulnerability.
- The only files that are potentially exposed are the ones that the web
server has permission to access.
- This vulnerability is limited to file retrieval only. It is not
possible to exploit this vulnerability to upload files/data or to execute
arbitrary code on the web server.
- Only files on the Access Service machine(s) are potentially at risk of
exposure. The most common deployment architecture segregates the Access
Service from web servers hosting any sensitive application data.
A patch is available now on the GetAccess support extranet at the following
If the patch above is applied, the following work-arounds are not required.
- The following files can be removed from GetAccess Access Service hosts,
eliminating the vulnerability. Note that the patch above corrects the
vulnerability in these scripts and eliminates the need to delete the
helpwin.gas.bat: this script is referenced by the "Help" link on
GetAccess login screens. These links could be replaced with
alternative HTML help pages not driven by the GetAccess help script.
AboutBox.gas.bat: This script drives the "About" box that displays
GetAccess version information.
- As part of normal security policy, customers should not store sensitive
data on GetAccess Access Service hosts. Web servers hosting such data
should be secured using the GetAccess Runtime, which is not affected
by this vulnerability. Almost all Entrust GetAccess customers choose
to deploy in this sort of configuration even in the absence of this
- If the Access Service component is co-located on a web server hosting
sensitive files, the Access Service can be segregated to a dedicated
server in order to minimize the potential exposure.
- File permissions should be set such that all files not explicitly needed
by the web server are inaccessible to the user account under which the web
server runs (in keeping with industry best practice).
- Impacted Components: Only GetAccess servers running the Access Service
component are affected. Web servers hosting secure content protected
by the GetAccess Runtime are not affected.
Entrust customer support, including after hours service is available by
phone as follows:
North America: 1-877-754-7878
Entrust acknowledges the assistance of Rudi Carell, who worked with us to
eliminate this vulnerability.
Copyright (c) 2001 Entrust Inc.