Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » SCO CSSA-2003-021.0: docview vulnerability

SCO CSSA-2003-021.0: docview vulnerability

by Nikola Strahija on August 25th, 2003 Due to a misconfiguration of the apache server, anonymous remote users are able to craft a URL in such a way as to view any publicly readable file.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________

SCO Security Advisory

Subject: OpenLinux: The docview package allows
anonymous remote users to view any publicly readable files
on a OpenLinux 3.1.1 system.

Advisory number: CSSA-2003-021.0
Issue date: 2003 Aug 25
Cross reference:
__________________________________________________________


1. Problem Description

Docview provides the OpenLinux System Administration Guide,
available in browser HTML format.

Due to a misconfiguration of the apache server, anonymous
remote users are able to craft a URL in such a way as to
view any publicly readable file.

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2003-0658 to this issue. This is a
candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for
security problems.


2. Vulnerable Supported Versions

System Package
- ----------------------------------------------------------
OpenLinux 3.1.1 docview < 1.1-18

3. Solution

The proper solution is to install the latest packages.
Many customers find it easier to use the Caldera System
Updater, called cupdate (or kcupdate under the KDE
environment), to update these packages rather than
downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-023.0/RPMS

4.2 Packages

3a13ac10c8dea683b04857f15c0ccf0d docview-1.1-18.i386.rpm

4.3 Installation

rpm -Fvh docview-1.1-18.i386.rpm

4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-023.0/SRPMS

4.5 Source Packages

3e46a0b62c1f792972adc56eaf9393b9 docview-1.1-18.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-023.0/RPMS

5.2 Packages

3a13ac10c8dea683b04857f15c0ccf0d docview-1.1-18.i386.rpm

5.3 Installation

rpm -Fvh docview-1.1-18.i386.rpm


5.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-023.0/SRPMS

5.5 Source Packages

3e46a0b62c1f792972adc56eaf9393b9 docview-1.1-18.src.rpm

6. References

Specific references for this advisory:


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0658


SCO security resources:


http://www.sco.com/support/security/index.html

This security fix closes SCO incidents: sr882676
fz528140 erg712374.


7. Disclaimer

SCO is not responsible for the misuse of any of
the information we provide on this websiteon this website
through our security advisories. Our advisories are
ce to our customers intended to promote secure
ation and use of SCO products.

_________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj9KsOQACgkQbluZssSXDTFfKQCg49Zb5dWz2zR/jNIQ2I2b/HKE
roUAoP0bzvV4/YEPfdptTMZDAMcw49sY
=sbjm
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »