-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________

                        SCO Security Advisory 
 
Subject:                UnixWare 7.1.3 : The docview package allows anonymous remote users to view any publicly readable files on a UnixWare system. 
Advisory number:        CSSA-2003-SCO.18 
Issue date:             2003 August 22 
Cross reference: 
__________________________________________________________

 
 
1. Problem Description 
 
Docview provides the UnixWare System Administration Guide, 
available in browser HTML format. 
 
Due to a misconfiguration of the apache server, anonymous 
remote users are able to craft a URL in such a way as to 
view any publicly readable file. 
 
The Common Vulnerabilities and Exposures (CVE) 
project has assigned the name CAN-2003-0658 to this 
issue. This is a candidate for inclusion in the CVE list 
(http://cve.mitre.org), which standardizes names 
for security problems. 
 
 
2. Vulnerable Supported Versions 
 
System                          Binaries 
        
- - ---------------------------------------------------------------
UnixWare 7.1.3  /usr/lib/docview/conf/templates/rewrite.conf.in 
 
 
3. Solution 
 
        The proper solution is to install the latest packages. 
 
4. UnixWare 7.1.3 
 
  4.1 Location of Fixed Binaries 
     
    ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.18/ 
 
 
  4.2 Verification 
 
    MD5 (erg712369.pkg.Z) = b00357fa4f69a2aebcc7d539cc77a24b 
 
    md5 is available for download from 
           ftp://ftp.sco.com/pub/security/tools 
 
 
  4.3 Installing Fixed Binaries 
 
    Upgrade the affected binaries with the following sequence: 
 
    Download erg712369.pkg.Z to the /var/spool/pkg directory 
 
    # uncompress /var/spool/pkg/erg712369.pkg.Z 
    # pkgadd -d /var/spool/pkg/erg712369.pkg 
 
    or 
 
    # zcat erg712369.pkg.Z | pkgadd -d - 
 
5. References 
 
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0658
 
SCO security resources: 
                
http://www.sco.com/support/security/index.html 
 
This security fix closes SCO incidents 
sr882458 fz528126 erg712369. 
 
 
6. Disclaimer 
 
        SCO is not responsible for the misuse of any of 
the information we provide on this website and/or through our 
security advisories. Our advisories are a service to our 
customers intended to promote secure installation and use of 
SCO products. 
 
 
7. Acknowledgments 
 
SCO would like to thank Milos Krmesky for discovery 
of this vulnerability. 
 
_________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj9KsXkACgkQaqoBO7ipriGbmwCfU7hfWplzvTPh5CkZlGzFftuX
7vEAn1Jk461apUF4D8hRySc27/OBnkB4
=16QN
-----END PGP SIGNATURE-----