mailing list archives
Security Hole in Netscape Enterprise Server 3.0
From: daragh_malone () ACCURIS IE (Daragh Malone)
Date: Fri, 24 Apr 1998 12:48:02 +0100
I don't know if there is a patch for this, or if this is already
well known, but here it is. A simple workaround follows.
Problem: Livewire Applications are downloadable. (Passwords are
Platform: DEC UNIX 4.0D (possibly all Unixes/NT)
applications that behave similiar to Active Server Pages. The main
difference is that Livewire applications are compiled to a proprietary
byte executable that contains all the pages in the application.
These applications are generated with .web extensions. In their own
example, the game hangman is accessed as
http://www.myserver.com/hangman/ and the application is hangman.web.
So accessing http://www.myserver.com/hangman/hangman.web will download
the application to your browser.
The second problem lies in the fact that all the pages are
readable, and that database username/passwords are unencrypted, unless
specifically encrypted in your application.
The two problems combined can compromise security. This problem
occurs regardless of Web directory permissions from a server level.
Rename the .web application to something cryptic like G6r$79k9.web
and make sure that the directory it's in isn't a document directory.
I verified this problem on a few Internet sites, which leads to the
question: If you verify a web security problem (remember .. at the end
of Active Server Pages) is this technically illegal.
If anyone knows if this problem has been fixes I'd really