TID102544 (sesecure) ScriptEase Security Patch

From Developer Community

NOVELL TECHNICAL INFORMATION DOCUMENT

TITLE: ScriptEase Security Patch AUTHOR: PJO DOCUMENT ID: TID102544 DOCUMENT REVISION: DATE: 2002/04/25 10:03 AM ALERT STATUS: Yellow INFORMATION TYPE: Issue README FOR: SESECURE.EXE NOVELL PRODUCT CLASS:

NetWare API

NOVELL PRODUCT and VERSION:

NetWare default

CATEGORY:

none

COMPILER:

default

TARGET OS:

NetWare 5.1

ABSTRACT:

DETAILED DESCRIPTION

Scripting Security Patch April 2002

Table of Contents 1.0 Information about the security issue 2.0 Who should install the patch? 3.0 Installation 3.1 Patch installation on multiple servers.

1.0 Information about the security issues

ScriptEase is by default installed and configured on a NetWare 5.1 server. The default installation contains sample applications. Some of the sample applications shipped with NetWare 5.1 are insecure. These web samples can be used to read the contents of files on NetWare server. Following are two such samples script files.

SYS:NOVONYXSUITESPOTDOCSSEWSEVIEWCODE.JSE SYS:NOVONYXSUITESPOTDOCSSEWSEJABBERcomment2.JSE

This utility either removes these scripts or replaces with new secure scripts.

2.0 Who should install the patch?

NetWare servers having following configuration are insecure.

- Defualt NetWare 5.1 server with Enterprise web server running. - NetWare 6 server upgraded from NetWare 5.1 server and Enterprise web server running.

NetWare server is secure if the web server is not running or the web document root is changed from, sys:novonyxsuitespotdocs to some other directory.

It is strongly recommended to apply this patch on all NetWare servers having versions 5.1 and above, irrespective of whether the web server is installed or not.

NetWare 5.1 support pack 5 includes these patches. It is not necessary to install this patch if support pack 5 is installed.

3.0 Installation

Unzip the SCR-SEC-PATCH.ZIP to the SYS volume of the NetWare server. From the server console execute the following command.

SYS:TMPSECCHK

This utility provides options for deletion or replacement of files. Use SECCHK HELP for more information.

3.1 Patch installation on multiple servers.

This patch can be installed on multiple servers by following the above steps. Another option is to copy the sample files(*.jse) which are part of the ZIP file to their respective locations under SYS:NOVONYXSUITESPOTDOCSSEWSE directory.

DISCLAIMER THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO NOVELL. NOVELL MAKES EVERY EFFORT WITHIN ITS MEANS TO VERIFY THIS INFORMATION. HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT IS FOR YOUR INFORMATION ONLY. NOVELL MAKES NO EXPLICIT OR IMPLIED CLAIMS TO THE VALIDITY OF THIS INFORMATION.

Self-Extracting File Name: SESECURE.EXE

Files Included: Size Date Time

SESECURE.TXT (this file) SCR-SEC-PATCH.ZIP 5919 4-19-02 1:32 PM SESECURE.MSG 0 4-19-02 1:32 PM

Installation Instructions:

SESECURE.EXE can be found on: The DeveloperNet Support World Wide Web site (developer.novell.com/support/sample/recent.htm)

Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

[edit]