Article

smflood's picture
article
Reads:

5473

Score:
3
3
3
 
Comments:

3

How to Use FILTCFG to Protect Against Possible Security Vulnerability with ApacheAdmin on NetWare 6.5

Author Info

29 January 2009 - 5:22pm
Submitted by: smflood

(View Disclaimer)

TID 7001907 gives details about a potential security vulnerability with Apache, or more specifically ApacheAdmin, on NetWare 6.5 after you've installed an OES2 Linux server into the same tree.

However there seems to (currently) be some ambiguity about the actual cause and suggested fix.

Here's one way of securing access to port 2200 on your NetWare server using FILTCFG.

  1. edit sys:/etc/builtins.cfg and add the following line (perhaps before IPX services are defined)
  2. PROTOCOL-SERVICE IP, NWWebMgr, pid=TCP port=2200 srcport=<All>, NetWare Web Manager
  3. load INETCFG and navigate to Protocols | TCP/IP
  4. change Filter Support to Enabled
  5. load FILTCFG and navigate to Configure TCP/IP Filters | Define TCP/IP filters | Packet Forwarding Filters
  6. change Status to Enabled
  7. press [Ins] twice on Filters to add the following filter
  8. Packet Type: NWWebMgr
  9. press [Esc] and select Yes when prompted to Save Filter?
  10. press [Ins] twice on Exceptions to add the following exception
  11. Packet Type: NWWebMgr
    Src Addr Type: Network
    Src IP Address: network/netmask
  12. press [Esc] and select Yes when prompted to Save Filter?
  13. press [Esc] four times and select Yes when prompted to Exit FILTCFG?
  14. RESTART SERVER (unfortunately - to re-read builtins.cfg)

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.




User Comments

davidkrotil's picture

Fix is already there

Submitted by davidkrotil on 29 January 2009 - 5:49pm.

From same TID

Resolution
The fix to this issue is to apply support pack 8 to the server.

smflood's picture

SP8 is not the fix

Submitted by smflood on 30 January 2009 - 10:27am.

That is the published fix.

However I am aware of instances where the problem still exists AFTER SP8 has been applied to the NetWare server.

ecyoung's picture

published fixes <> fixed

Submitted by ecyoung on 30 January 2009 - 10:38am.

Yeah, what happened with SP8? I encountered another "published" fix that wasn't fixed just the other day: "260382 SCRSAVER - req for emergency password stored locally in an ecrypted file" was not included, even though it was published.

© 2013 Novell