Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags
From: vanja () RELAYGROUP COM (Vanja Hrustic)
Date: Wed, 22 Mar 2000 17:48:31 +0700

amonotod wrote:

Hello all,

Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
WebPublishing has never (not even just to try it out) been enabled.  All
commands (plus more that don't work) listed in bulletin are contained in the
file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll".


Few more updates.

- Netscape/iPlanet still did not respond
- Stock installation of NES 3.6SP3 on Sparc/Solaris 2.7 without any
features enabled IS vulnerable to this problem. Web Publishing seems not
to be important at all
- NES 3.6SP3 on IRIX is also vulnerable
- ACLs can not stop this problem; looks like NES parses '?wp' tags even
before it is checked against ACLs (tried under Solaris)

The only way to disable this 'feature' was to edit file ns-httpd.so
(under Solaris), and modify strings inside; for example, to change
'?wp-cs-dump' into '?ab-cd-efg' - or whatever. Under Windows, the
strings are indeed located in 'content_mgr.dll' - that was the first
place where strings were found. Later, the strings were found in another
DLL - ns-httpd.dll (if I remember correctly).

If you enable Web Publishing, make sure that you also modify strings
inside content_mgr.dll (or content_mgr.so, if running on Solaris)

There are quite few sites running NES 3.6SP3 (on Solaris) that are not
vulnerable. I would really like if someone who has a setup like that and
is not vulnerable takes a look at the NES setup, and checks what
features are enabled/disabled. That might help to understand what needs
to be done in order to protect the servers.

Thanks to Reb for helpful details (erm... won't mention his email here,
so that people don't try the NES 'features' on his company website :)


Vanja Hrustic
SAFER Editor

SAFER - free monthly security newsletter
Subscriptions at http://www.safermag.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]