[14389] in bugtraq
Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and
daemon@ATHENA.MIT.EDU (Doug Monroe)
Wed Mar 22 17:57:38 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38D8CF06.65D09960@lucent.com>
Date: Wed, 22 Mar 2000 08:47:50 -0500
Reply-To: Doug Monroe <monroe@LUCENT.COM>
From: Doug Monroe <monroe@LUCENT.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
From what I've observed, this '?wp' behavior does NOT affect servers that DENY
directory listings.
This problem was NOT observed on NT4/SP4/NS3.6.3 with a "deny directory
listings"
entry (in obj.conf) of:
Service method="(GET|HEAD)"
path="d:/htdocs/go-away.html"
type="magnus-internal/directory"
fn="send-error"
Similarly not a problem on Solaris2.6/NS3.6.3 with:
Service method="(GET|HEAD)"
path="/home/htdocs/go-away.html"
type="magnus-internal/directory"
fn="send-error"
if you leave off the the path="" arg, the server still just errors with 500 on
a '?wp' request...so it would seem to me that this '?wp' problem is only a
problem for those who do not disable directory listing.
$cat go-away.html
<html>
<head>
<title>bzzzttt</title>
</head>
<body bgcolor="#ffffff">
browsing thru directories is not allowed.
</body>
</html>
FWIW- WebPublishing was never enabled on either host.
--
D Monroe
amonotod wrote:
>
> Hello all,
>
> Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
> WebPublishing has never (not even just to try it out) been enabled. All
> commands (plus more that don't work) listed in bulletin are contained in the
> file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll".
>
> regards,
> amonotod
>
> >__________________________________________________________
> >
> > S.A.F.E.R. Security Bulletin 000317.EXP.1.5
> >__________________________________________________________
> >
> >
> >TITLE : Netscape Enterprise Server and '?wp' tags
> >DATE : March 17, 2000
> >NATURE : Remote user can obtain list of directories on Netscape
> >Enterprise Server
> >AFFECTED : Netscape Enterprise Server 3.x
> >
> >PROBLEM:
> >
> >Problem exists in Netscape Enterprise Server that can allow remote user
> >to obtain list of directories and subdirectories on the server.
> >
> >DETAILS:
> >
> >Netscape Enterprise Server with 'Web Publishing' enabled can be tricked
> >into displaying the list of directories and subdirectories, if user
> >supplies certain 'tags'. For example:
> >
> >http://home.netscape.com/?wp-cs-dump
> >
> >will reveal the contents of the root directory on that web server.
> >Contents of subdirectories can be obtained as well. Other tags that can
> >be used are:
> >
> >?wp-ver-info
> >?wp-html-rend
> >?wp-usr-prop
> >?wp-ver-diff
> >?wp-verify-link
> >?wp-start-ver
> >?wp-stop-ver
> >?wp-uncheckout
> >
> >FIXES:
> >
> >Disable 'Web Publishing'. It is safe to assume that 'Web Publishing' is
> >not the only feature that will 'activate' this problem. We have found
> >few servers running Netscape Enterprise Server that did not have 'Web
> >Publishing' enabled, but were still vulnerable to this problem. Until
> >Netscape makes an official response and clarify what is the cause of
> >this problem, it is advised that you test your server against this
> >vulnerability, and if you are vulnerable, try to disable certain
> >features and services.
> >
> >Netscape has been contacted on many occasions, but has failed to
> >respond.
> >
> >__________________________________________________________
> >
> > S.A.F.E.R. - Security Alert For Entreprise Resources
> > Copyright (c) 2000 The Relay Group
> > http://safer.siamrelay.com --- security@relaygroup.com
> >__________________________________________________________
> >
