Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags
From: reb () TACO COM (Phydeaux)
Date: Wed, 22 Mar 2000 20:21:09 -0500

At 08:44 PM 3/22/2000 +0000, you wrote:
This has nothing to do with the web publishing feature in
NES but rather the "Directory Indexing" function.

It seems SAFER found options a client can pass to the server
in order to use this feature. Because many people were
unaware of this function, it seems like a vulnerability.

Yes -- but this "feature" lists the content of directories even when there
is a valid index file in that directory. In such a case the server is
supposed to display the index file, not a directory listing. Clearly, the
observed behaviour is not what most system administrators would expect.

reb () taco,com

To turn it off via the Admin Interface:
Select your seb site. Then select Content
Management->Document Preferences. Under the item titled
"Directory Indexing" select none.

To turn it off in the config:
Look for this option in obj.conf:
Service method="(GET|HEAD)" type="magnus-internal/directory"

Set fn equal to: fn="send-error"



Hello all,

Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4,
vulnerable, even though
WebPublishing has never (not even just to try it out) been
enabled.  All
commands (plus more that don't work) listed in bulletin are
contained in the


<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>      S.A.F.E.R. Security Bulletin
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>TITLE    : Netscape Enterprise Server
and '?wp' tags</FONT>
<FONT COLOR="#222255">>DATE     : March 17, 2000</FONT>
<FONT COLOR="#222255">>NATURE   : Remote user can obtain
list of directories on Netscape</FONT>
<FONT COLOR="#222255">>Enterprise Server</FONT>
<FONT COLOR="#222255">>AFFECTED : Netscape Enterprise Server
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Problem exists in Netscape Enterprise
Server that can allow remote user</FONT>
<FONT COLOR="#222255">>to obtain list of directories and
subdirectories on the server.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Netscape Enterprise Server with 'Web
Publishing' enabled can be tricked</FONT>
<FONT COLOR="#222255">>into displaying the list of
directories and subdirectories, if user</FONT>
<FONT COLOR="#222255">>supplies certain 'tags'. For
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">><A TARGET=nonlocal
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>will reveal the contents of the root
directory on that web server.</FONT>
<FONT COLOR="#222255">>Contents of subdirectories can be
obtained as well. Other tags that can</FONT>
<FONT COLOR="#222255">>be used are:</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>?wp-ver-info</FONT>
<FONT COLOR="#222255">>?wp-html-rend</FONT>
<FONT COLOR="#222255">>?wp-usr-prop</FONT>
<FONT COLOR="#222255">>?wp-ver-diff</FONT>
<FONT COLOR="#222255">>?wp-verify-link</FONT>
<FONT COLOR="#222255">>?wp-start-ver</FONT>
<FONT COLOR="#222255">>?wp-stop-ver</FONT>
<FONT COLOR="#222255">>?wp-uncheckout</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>FIXES:</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Disable 'Web Publishing'. It is safe
to assume that 'Web Publishing' is</FONT>
<FONT COLOR="#222255">>not the only feature that will
'activate' this problem. We have found</FONT>
<FONT COLOR="#222255">>few servers running Netscape
Enterprise Server that did not have 'Web</FONT>
<FONT COLOR="#222255">>Publishing' enabled, but were still
vulnerable to this problem. Until</FONT>
<FONT COLOR="#222255">>Netscape makes an official response
and clarify what is the cause of</FONT>
<FONT COLOR="#222255">>this problem, it is advised that you
test your server against this</FONT>
<FONT COLOR="#222255">>vulnerability, and if you are
vulnerable, try to disable certain</FONT>
<FONT COLOR="#222255">>features and services.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>Netscape has been contacted on many
occasions, but has failed to</FONT>
<FONT COLOR="#222255">>respond.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">>   S.A.F.E.R. - Security Alert For
Entreprise Resources</FONT>
<FONT COLOR="#222255">>          Copyright (c) 2000 The
Relay Group</FONT>
<FONT COLOR="#222255">> <A TARGET=nonlocal
HREF="/external/http://safer.siamrelay.com";><A HREF="http://safer.siamrelay.com</A">http://safer.siamrelay.com</A</A>>
---  <A
HREF="mailto:security () relaygroup com">security () relaygroup com</A></FONT>
<FONT COLOR="#222255">></FONT>

Get your own FREE, personal Netscape WebMail account today
at <A TARGET=nonlocal

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]