Title: BSCW Symbolic Link File Disclosure Vulnerability
Severity: HIGH
Description:
BSCW (Basic Support for Cooperative Work) enables collaboration over the Web. BSCW is a 'shared workspace' system which supports document upload, event notification, group management and much more.
A vulnerability exists in BSCW that may allow users to view arbitrary files on a system. The BSCW package offers users the ability to upload and then remotely unarchive tar files in their private space (or "data-bag").
When users view extracted files in their "data-bag", BSCW will follow symbolic links. If a symlink is included in a tar file extracted on the server, BSCW will output the contents of the file pointed to when the symlink is viewed by a client.
A malicious user may be able to exploit this problem to view any file on a system accessible by the user id under which BSCW runs.
Affected Products:
- GMD FIT BSCW 3.0.0
- GMD FIT BSCW 3.1.0
- GMD FIT BSCW 3.2.0
- GMD FIT BSCW 3.3.0
- GMD FIT BSCW 3.4.0
- GMD FIT BSCW 3.4.1
- GMD FIT BSCW 3.4.2
- GMD FIT BSCW 3.4.3
References:
- GMD FIT: BSCW Homepage
- OrbiTeam Software GmbH: OrbiTeam Software Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
