Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Critical Path InJoin Directory Server File Disclosure Vulnerability

Critical Path InJoin Directory Server File Disclosure Vulnerability

by Nikola Strahija on May 12th, 2002 An attacker with a valid administrative username and password is able to view any file on the system that is accessible to the owner of the iCon process. The contents of arbitrary webserver readable files can be disclosed by supplying their path as the log entry parameter when viewing log entries.


Critical Path provides an LDAP (Lightweight Directory Access Protocol) Directory Server called InJoin. InJoin Directory Server is provided for Microsoft Windows operating systems and Unix variants. iCon is the administrative web interface for the inJoin Directory Server.

Remote: Yes

Exploit: The following examples were provided as a proof-of-concept:

http://ip:1500/CONF&LOG=/etc/passwd&NOIH=no&FRAMES=y

Here the attacker is able to view the contents of /etc/passwd.

Solution: Critical Path is aware of the vulnerability. A maintenance release to be known as iCon 4.1.4.7 will be posted on the Critical Path support website in the near future. Please contact Critical Path for more information about the availability of the maintenance release.

In the meantime, Critical Path has suggested a few workarounds.

Filter TCP port 1500 at the border to prohibit public access to the
Directory Server's administrative interface.

Modify permissions on sensitive files to prohibit access by the ids user.

Administration of the Directory Server via SSL is not currently supported but it is recommended that VPN software be used to mitigate the risk of disclosure of the administrator username and password.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »