===================================================================== CERT-Renater Note d'Information No. 2006/VULN581 _____________________________________________________________________ DATE : 22/12/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Novell Netware Welcome web-app. ====================================================================== https://secure-support.novell.com/KanisaPlatform/Publishing/514/3319127_f.SAL_Public.html ______________________________________________________________________ Potential XSS security vulnerability in Welcome web-app This document (3319127) is provided subject to the disclaimer at the end of this document. environment Novell Apache on NetWare 2.0.48 Novell NetWare 6.5 Support Pack 5 Novell NetWare 6.5 Support Pack 6 situation A potential Cross-Site Scripting vulnerability has been reported against the Welcome web-app on NetWare 6.5. resolution This issue has been reported to engineering. Currently the only work-around is to disable the Welcome web-app. To disable the Welcome Web-app, remark out the following line in SYS:APACHE2/CONF/HTTPD.CONF: Include "SYS:/adminsrv/webapps/welcome/web-inf/welcome-apache.conf" by putting a '#' character in front of it, like this: # Include "SYS:/adminsrv/webapps/welcome/web-inf/welcome-apache.conf" status Reported to Engineering Security Alert bug number 2277370 document Document ID: 3319127 Creation Date: 2006-12-19 10:27:38.0 Modified Date: 2006-12-19 10:26:27.0 Novell Product: Apache Novell Product: NetWare disclaimer The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================