[14396] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and

daemon@ATHENA.MIT.EDU (Peter W)
Fri Mar 24 00:45:19 2000

Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-1586832511-953767775=:6178"
Content-Id: <Pine.LNX.4.10.10003221831530.6178@localhost>
Message-Id:  <Pine.LNX.4.10.10003221817220.6178-200000@localhost>
Date:         Wed, 22 Mar 2000 18:33:40 -0500
Reply-To: Peter W <peterw@USA.NET>
From: Peter W <peterw@USA.NET>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <38D8A4FF.7011A1B5@relaygroup.com>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--8323328-1586832511-953767775=:6178
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.10.10003221831531.6178@localhost>

At 5:48pm Mar 22, 2000, Vanja Hrustic wrote:

> amonotod wrote:

> > Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
> > WebPublishing has never (not even just to try it out) been enabled.

Same here. If directory browsing is enabled, wp-cs-dump gives a listing.

> - ACLs can not stop this problem; looks like NES parses '?wp' tags even
> before it is checked against ACLs (tried under Solaris)

More likely the ACL's don't match on query string information. (ACL's
usually trigger on ppath, which does not include the query string.)

> The only way to disable this 'feature' was to edit file ns-httpd.so
> (under Solaris), and modify strings inside; for example, to change
> '?wp-cs-dump' into '?ab-cd-efg' - or whatever.

Editing DLL's. Eek.

The attached NSAPI code was tested on NES 3.63 on Solaris and seems to
stop the problem on the server we can't disable directory browsing on. I'd
love to talk off-list with others working on this to see if ther are other
things this doesn't catch, you know, weird URI-encoding, etc. If anyone
has more info on how to explout the tags, that would be nice, too.

Netscape, if you're listening: this is a workaround; I'd like a fix. ;-)

-Peter

http://www.bastille-linux.org/ : working towards more secure Linux systems

--8323328-1586832511-953767775=:6178
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="PW_no_wpleak.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.10003221829350.6178@localhost>
Content-Description: PW_no_wpleak.c
Content-Disposition: ATTACHMENT; FILENAME="PW_no_wpleak.c"

I2luY2x1ZGUgImJhc2UvcGJsb2NrLmgiCS8qIHBibG9ja19maW5kdmFsICov
DQojaW5jbHVkZSAiZnJhbWUvaHR0cC5oIgkJLyogUFJPVE9DT0xfTk9UX0ZP
VU5EICovDQoNCi8qDQoJUFctbm8td3BsZWFrLnNvDQoNCiAgIFVzYWdlOg0K
ICAgQXQgdGhlIGJlZ2lubmluZyBvZiBvYmouY29uZjoNCiAgICAgIEluaXQg
Zm49bG9hZC1tb2R1bGVzIHNobGliPVBXX25vX3dwbGVhay5zbyBmdW5jcz0i
UFctbm8td3BsZWFrIg0KICAgSW5zaWRlIGFuIG9iamVjdCBpbiBvYmouY29u
ZiAocHJlZmVyYWJseSBhdCB0aGUgdG9wIG9mIHRoZSBkZWZhdWx0IG9iamVj
dCk6DQogICAgICBQYXRoQ2hlY2sgZm49UFctbm8td3BsZWFrDQogICANCiAg
IFRoZSBQYXRoQ2hlY2sgZ2l2ZXMgYSA0MDQgZm9yIGFueSByZXF1ZXN0IGNv
bnRhaW5pbmcga25vd24gV2ViUHVibGlzaGVyIHRhZ3MuDQoJKGkuZS4gd2l0
aCBhIFFVRVJZX1NUUklORyBiZWdpbm5pbmcgd2l0aCBhIGtub3duIHRhZykN
CiAqLw0KIA0KTlNBUElfUFVCTElDIGludCBQV19ub193cGxlYWsocGJsb2Nr
ICpwYiwgU2Vzc2lvbiAqc24sIFJlcXVlc3QgKnJxKQ0Kew0KICAgIC8qIHdv
cmtpbmcgdmFyaWFibGVzICovDQogICAgY2hhciAqcmVxdWVzdFF1ZXJ5ID0g
cGJsb2NrX2ZpbmR2YWwoInF1ZXJ5IiwgcnEtPnJlcXBiKTsNCiAgICBjaGFy
ICp3ZWJQdWJUYWdzW10gPSB7IA0KCQkid3AtY3MtZHVtcCIsDQogICAgCQki
d3AtdmVyLWluZm8iLA0KCQkid3AtaHRtbC1yZW5kIiwNCgkJIndwLXVzci1w
cm9wIiwNCgkJIndwLXZlci1kaWZmIiwNCgkJIndwLXZlcmlmeS1saW5rIiwN
CgkJIndwLXN0YXJ0LXZlciIsDQoJCSJ3cC1zdG9wLXZlciIsDQoJCSJ3cC11
bmNoZWNrb3V0IiwNCgkJTlVMTA0KICAgIH07DQogICAgaW50IGkgPSAwOw0K
ICAgIA0KICAgIC8qIGJhaWwgb3V0IGlmIHdlJ3ZlIGdvdCBub3RoaW5nIHRv
IHdvcmsgd2l0aCAqLyANCiAgICBpZiAoIXJlcXVlc3RRdWVyeSkgcmV0dXJu
IFJFUV9OT0FDVElPTjsNCg0KICAgIC8qIGNoZWNrIHRoZSBxdWVyeSBzdHJp
bmcgYWdhaW5zdCBrbm93biB0YWdzICovDQogICAgd2hpbGUgKCB3ZWJQdWJU
YWdzW2ldICE9IE5VTEwgKSB7DQogICAgCWlmIChzdHJzdHIocmVxdWVzdFF1
ZXJ5LHdlYlB1YlRhZ3NbaSsrXSkgPT0gcmVxdWVzdFF1ZXJ5ICkgew0KCQkv
KiBmb3VuZCBhIG1hdGNoLCB0aHJvdyBhIDQwNCBlcnJvciAqLw0KCQlwcm90
b2NvbF9zdGF0dXMoc24sIHJxLCBQUk9UT0NPTF9OT1RfRk9VTkQsIE5VTEwp
Ow0KICAgIAkJcmV0dXJuIFJFUV9BQk9SVEVEOw0KCX0NCiAgICB9DQoNCiAg
ICAvKiBsb29rcyBPSyAqLw0KICAgIHJldHVybiBSRVFfTk9BQ1RJT047DQp9
DQo=
--8323328-1586832511-953767775=:6178--
home help back first fref pref prev next nref lref last post