=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN560
_____________________________________________________________________

DATE                      : 08/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Apache on Novelle NetWare 6.5.

======================================================================
http://www.novell.com/support/viewContent.do?externalId=7001907
______________________________________________________________________

Potential Security Vulnerability with Apache on NetWare 6.5 after
installing OES2 Linux Server

This document (7001907) is provided subject to the disclaimer at the
end of this document.

Environment
Novell Apache on NetWare 2.0.48
Novell NetWare 6.5 Support Pack 7
Novell NetWare 6.5 Support Pack 6
Novell NetWare 6.5 Support Pack 5
Situation
After installing an OES2 Linux server into a tree that is already running
on NetWare 6.5, it is possible to access the ApacheAdmin console on NetWare
without using a password.

NOTE:  Generally this problem is only seen when the NetWare server has
been upgraded from an earlier version of NetWare 6.5 (i.e. Support Pack 2,
Support Pack 3, etc.) to Support Pack 7.


Resolution

The fix to this issue is to apply support pack 8 to the server.


Document
Document ID:	7001907
Creation Date:	11-17-2008
Modified Date:	12-04-2008
Novell Product:	Apache
Novell Product:	NetWare
Disclaimer

The Origin of this information may be internal or external to Novell.
Novell makes all reasonable efforts to verify this information. However,
the information provided in this document is for your information only.
Novell makes no explicit or implied claims to the validity of this
information.
Any trademarks referenced in this document are the property of their
respective owners. Consult your product manuals for complete trademark
information.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================