Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags
From: jobs () NETWORKCOMMAND COM (jobs () NETWORKCOMMAND COM)
Date: Wed, 22 Mar 2000 20:44:06 -0000


This has nothing to do with the web publishing feature in
NES but rather the "Directory Indexing" function. 

It seems SAFER found options a client can pass to the server
in order to use this feature. Because many people were
unaware of this function, it seems like a vulnerability. 

To turn it off via the Admin Interface:
Select your seb site. Then select Content
Management->Document Preferences. Under the item titled
"Directory Indexing" select none.

To turn it off in the config:
Look for this option in obj.conf:
Service method="(GET|HEAD)" type="magnus-internal/directory"
fn="index-common"

Set fn equal to: fn="send-error"

Thanks,
Mike

NetworkCommand.com

Hello all,

Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4,
vulnerable, even though
WebPublishing has never (not even just to try it out) been
enabled.  All
commands (plus more that don't work) listed in bulletin are
contained in the
file
"_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll".

regards,
amonotod

<FONT
COLOR="#222255">>__________________________________________________________</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>      S.A.F.E.R. Security Bulletin
000317.EXP.1.5</FONT>
<FONT
COLOR="#222255">>__________________________________________________________</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>TITLE    : Netscape Enterprise Server
and '?wp' tags</FONT>
<FONT COLOR="#222255">>DATE     : March 17, 2000</FONT>
<FONT COLOR="#222255">>NATURE   : Remote user can obtain
list of directories on Netscape</FONT>
<FONT COLOR="#222255">>Enterprise Server</FONT>
<FONT COLOR="#222255">>AFFECTED : Netscape Enterprise Server
3.x</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>PROBLEM:</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Problem exists in Netscape Enterprise
Server that can allow remote user</FONT>
<FONT COLOR="#222255">>to obtain list of directories and
subdirectories on the server.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>DETAILS:</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Netscape Enterprise Server with 'Web
Publishing' enabled can be tricked</FONT>
<FONT COLOR="#222255">>into displaying the list of
directories and subdirectories, if user</FONT>
<FONT COLOR="#222255">>supplies certain 'tags'. For
example:</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">><A TARGET=nonlocal
HREF="/external/http://home.netscape.com/?wp-cs-dump";><A 
HREF="http://home.netscape.com/?wp-cs-dump</A">http://home.netscape.com/?wp-cs-dump</A</A>></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>will reveal the contents of the root
directory on that web server.</FONT>
<FONT COLOR="#222255">>Contents of subdirectories can be
obtained as well. Other tags that can</FONT>
<FONT COLOR="#222255">>be used are:</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>?wp-ver-info</FONT>
<FONT COLOR="#222255">>?wp-html-rend</FONT>
<FONT COLOR="#222255">>?wp-usr-prop</FONT>
<FONT COLOR="#222255">>?wp-ver-diff</FONT>
<FONT COLOR="#222255">>?wp-verify-link</FONT>
<FONT COLOR="#222255">>?wp-start-ver</FONT>
<FONT COLOR="#222255">>?wp-stop-ver</FONT>
<FONT COLOR="#222255">>?wp-uncheckout</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>FIXES:</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Disable 'Web Publishing'. It is safe
to assume that 'Web Publishing' is</FONT>
<FONT COLOR="#222255">>not the only feature that will
'activate' this problem. We have found</FONT>
<FONT COLOR="#222255">>few servers running Netscape
Enterprise Server that did not have 'Web</FONT>
<FONT COLOR="#222255">>Publishing' enabled, but were still
vulnerable to this problem. Until</FONT>
<FONT COLOR="#222255">>Netscape makes an official response
and clarify what is the cause of</FONT>
<FONT COLOR="#222255">>this problem, it is advised that you
test your server against this</FONT>
<FONT COLOR="#222255">>vulnerability, and if you are
vulnerable, try to disable certain</FONT>
<FONT COLOR="#222255">>features and services.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Netscape has been contacted on many
occasions, but has failed to</FONT>
<FONT COLOR="#222255">>respond.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT
COLOR="#222255">>__________________________________________________________</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>   S.A.F.E.R. - Security Alert For
Entreprise Resources</FONT>
<FONT COLOR="#222255">>          Copyright (c) 2000 The
Relay Group</FONT>
<FONT COLOR="#222255">> <A TARGET=nonlocal
HREF="/external/http://safer.siamrelay.com";><A HREF="http://safer.siamrelay.com</A">http://safer.siamrelay.com</A</A>> 
---  <A
HREF="mailto:security () relaygroup com">security () relaygroup com</A></FONT>
<FONT
COLOR="#222255">>__________________________________________________________</FONT>
<FONT COLOR="#222255">></FONT>

____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today
at <A TARGET=nonlocal
HREF="/external/http://webmail.netscape.com";><A 
HREF="http://webmail.netscape.com</A">http://webmail.netscape.com</A</A>>.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault