[14387] in bugtraq
Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and
daemon@ATHENA.MIT.EDU (Vanja Hrustic)
Wed Mar 22 17:38:18 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38D8A4FF.7011A1B5@relaygroup.com>
Date: Wed, 22 Mar 2000 17:48:31 +0700
Reply-To: vanja@relaygroup.com
From: Vanja Hrustic <vanja@RELAYGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
amonotod wrote:
>
> Hello all,
>
> Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
> WebPublishing has never (not even just to try it out) been enabled. All
> commands (plus more that don't work) listed in bulletin are contained in the
> file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll".
>
> regards,
> amonotod
Few more updates.
- Netscape/iPlanet still did not respond
- Stock installation of NES 3.6SP3 on Sparc/Solaris 2.7 without any
features enabled IS vulnerable to this problem. Web Publishing seems not
to be important at all
- NES 3.6SP3 on IRIX is also vulnerable
- ACLs can not stop this problem; looks like NES parses '?wp' tags even
before it is checked against ACLs (tried under Solaris)
The only way to disable this 'feature' was to edit file ns-httpd.so
(under Solaris), and modify strings inside; for example, to change
'?wp-cs-dump' into '?ab-cd-efg' - or whatever. Under Windows, the
strings are indeed located in 'content_mgr.dll' - that was the first
place where strings were found. Later, the strings were found in another
DLL - ns-httpd.dll (if I remember correctly).
If you enable Web Publishing, make sure that you also modify strings
inside content_mgr.dll (or content_mgr.so, if running on Solaris)
There are quite few sites running NES 3.6SP3 (on Solaris) that are not
vulnerable. I would really like if someone who has a setup like that and
is not vulnerable takes a look at the NES setup, and checks what
features are enabled/disabled. That might help to understand what needs
to be done in order to protect the servers.
Thanks to Reb for helpful details (erm... won't mention his email here,
so that people don't try the NES 'features' on his company website :)
Regards,
Vanja Hrustic
SAFER Editor
SAFER - free monthly security newsletter
Subscriptions at http://www.safermag.com
