Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags

[vanja () RELAYGROUP COM (Vanja Hrustic)]

amonotod wrote:
> Hello all,
>
> Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
> WebPublishing has never (not even just to try it out) been enabled.  All
> commands (plus more that don't work) listed in bulletin are contained in the
> file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll".
>
> regards,
> amonotod

Few more updates.

- Netscape/iPlanet still did not respond
- Stock installation of NES 3.6SP3 on Sparc/Solaris 2.7 without any
features enabled IS vulnerable to this problem. Web Publishing seems not
to be important at all
- NES 3.6SP3 on IRIX is also vulnerable
- ACLs can not stop this problem; looks like NES parses '?wp' tags even
before it is checked against ACLs (tried under Solaris)

The only way to disable this 'feature' was to edit file ns-httpd.so
(under Solaris), and modify strings inside; for example, to change
'?wp-cs-dump' into '?ab-cd-efg' - or whatever. Under Windows, the
strings are indeed located in 'content_mgr.dll' - that was the first
place where strings were found. Later, the strings were found in another
DLL - ns-httpd.dll (if I remember correctly).

If you enable Web Publishing, make sure that you also modify strings
inside content_mgr.dll (or content_mgr.so, if running on Solaris)

There are quite few sites running NES 3.6SP3 (on Solaris) that are not
vulnerable. I would really like if someone who has a setup like that and
is not vulnerable takes a look at the NES setup, and checks what
features are enabled/disabled. That might help to understand what needs
to be done in order to protect the servers.

Thanks to Reb for helpful details (erm... won't mention his email here,
so that people don't try the NES 'features' on his company website :)

Regards,

Vanja Hrustic
SAFER Editor

SAFER - free monthly security newsletter
Subscriptions at http://www.safermag.com