Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags
From: peterw () USA NET (Peter W)
Date: Wed, 22 Mar 2000 18:33:40 -0500

At 5:48pm Mar 22, 2000, Vanja Hrustic wrote:

amonotod wrote:

Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
WebPublishing has never (not even just to try it out) been enabled.

Same here. If directory browsing is enabled, wp-cs-dump gives a listing.

- ACLs can not stop this problem; looks like NES parses '?wp' tags even
before it is checked against ACLs (tried under Solaris)

More likely the ACL's don't match on query string information. (ACL's
usually trigger on ppath, which does not include the query string.)

The only way to disable this 'feature' was to edit file ns-httpd.so
(under Solaris), and modify strings inside; for example, to change
'?wp-cs-dump' into '?ab-cd-efg' - or whatever.

Editing DLL's. Eek.

The attached NSAPI code was tested on NES 3.63 on Solaris and seems to
stop the problem on the server we can't disable directory browsing on. I'd
love to talk off-list with others working on this to see if ther are other
things this doesn't catch, you know, weird URI-encoding, etc. If anyone
has more info on how to explout the tags, that would be nice, too.

Netscape, if you're listening: this is a workaround; I'd like a fix. ;-)


http://www.bastille-linux.org/ : working towards more secure Linux systems

<LI>TEXT/PLAIN attachment: PW_no_wpleak.c

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]