[14401] in bugtraq
Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'
daemon@ATHENA.MIT.EDU (Phydeaux)
Fri Mar 24 02:03:10 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.2.0.58.20000322201719.018d6e60@taco.com>
Date: Wed, 22 Mar 2000 20:21:09 -0500
Reply-To: Phydeaux <reb@TACO.COM>
From: Phydeaux <reb@TACO.COM>
X-To: jobs@NETWORKCOMMAND.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000322204406.5893.qmail@securityfocus.com>
At 08:44 PM 3/22/2000 +0000, you wrote:
>This has nothing to do with the web publishing feature in
>NES but rather the "Directory Indexing" function.
>
>It seems SAFER found options a client can pass to the server
>in order to use this feature. Because many people were
>unaware of this function, it seems like a vulnerability.
Yes -- but this "feature" lists the content of directories even when there
is a valid index file in that directory. In such a case the server is
supposed to display the index file, not a directory listing. Clearly, the
observed behaviour is not what most system administrators would expect.
reb
reb@taco,com
>To turn it off via the Admin Interface:
>Select your seb site. Then select Content
>Management->Document Preferences. Under the item titled
>"Directory Indexing" select none.
>
>To turn it off in the config:
>Look for this option in obj.conf:
>Service method="(GET|HEAD)" type="magnus-internal/directory"
>fn="index-common"
>
>Set fn equal to: fn="send-error"
>
>
>Thanks,
>Mike
>
>NetworkCommand.com
>
>
>
>Hello all,
>
>Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4,
>vulnerable, even though
>WebPublishing has never (not even just to try it out) been
>enabled. All
>commands (plus more that don't work) listed in bulletin are
>contained in the
>file
>"_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll".
>
>regards,
>amonotod
>
><FONT
>COLOR="#222255">>__________________________________________________________
></FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">> S.A.F.E.R. Security Bulletin
>000317.EXP.1.5</FONT>
><FONT
>COLOR="#222255">>__________________________________________________________
></FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>TITLE : Netscape Enterprise Server
>and '?wp' tags</FONT>
><FONT COLOR="#222255">>DATE : March 17, 2000</FONT>
><FONT COLOR="#222255">>NATURE : Remote user can obtain
>list of directories on Netscape</FONT>
><FONT COLOR="#222255">>Enterprise Server</FONT>
><FONT COLOR="#222255">>AFFECTED : Netscape Enterprise Server
>3.x</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>PROBLEM:</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>Problem exists in Netscape Enterprise
>Server that can allow remote user</FONT>
><FONT COLOR="#222255">>to obtain list of directories and
>subdirectories on the server.</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>DETAILS:</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>Netscape Enterprise Server with 'Web
>Publishing' enabled can be tricked</FONT>
><FONT COLOR="#222255">>into displaying the list of
>directories and subdirectories, if user</FONT>
><FONT COLOR="#222255">>supplies certain 'tags'. For
>example:</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">><A TARGET=nonlocal
>HREF="/external/http://home.netscape.com/?wp-cs-dump">http://home.netscape.
>com/?wp-cs-dump</A></FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>will reveal the contents of the root
>directory on that web server.</FONT>
><FONT COLOR="#222255">>Contents of subdirectories can be
>obtained as well. Other tags that can</FONT>
><FONT COLOR="#222255">>be used are:</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>?wp-ver-info</FONT>
><FONT COLOR="#222255">>?wp-html-rend</FONT>
><FONT COLOR="#222255">>?wp-usr-prop</FONT>
><FONT COLOR="#222255">>?wp-ver-diff</FONT>
><FONT COLOR="#222255">>?wp-verify-link</FONT>
><FONT COLOR="#222255">>?wp-start-ver</FONT>
><FONT COLOR="#222255">>?wp-stop-ver</FONT>
><FONT COLOR="#222255">>?wp-uncheckout</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>FIXES:</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>Disable 'Web Publishing'. It is safe
>to assume that 'Web Publishing' is</FONT>
><FONT COLOR="#222255">>not the only feature that will
>'activate' this problem. We have found</FONT>
><FONT COLOR="#222255">>few servers running Netscape
>Enterprise Server that did not have 'Web</FONT>
><FONT COLOR="#222255">>Publishing' enabled, but were still
>vulnerable to this problem. Until</FONT>
><FONT COLOR="#222255">>Netscape makes an official response
>and clarify what is the cause of</FONT>
><FONT COLOR="#222255">>this problem, it is advised that you
>test your server against this</FONT>
><FONT COLOR="#222255">>vulnerability, and if you are
>vulnerable, try to disable certain</FONT>
><FONT COLOR="#222255">>features and services.</FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">>Netscape has been contacted on many
>occasions, but has failed to</FONT>
><FONT COLOR="#222255">>respond.</FONT>
><FONT COLOR="#222255">></FONT>
><FONT
>COLOR="#222255">>__________________________________________________________
></FONT>
><FONT COLOR="#222255">></FONT>
><FONT COLOR="#222255">> S.A.F.E.R. - Security Alert For
>Entreprise Resources</FONT>
><FONT COLOR="#222255">> Copyright (c) 2000 The
>Relay Group</FONT>
><FONT COLOR="#222255">> <A TARGET=nonlocal
>HREF="/external/http://safer.siamrelay.com">http://safer.siamrelay.com</A>
>--- <A
>HREF="mailto:security@relaygroup.com">security@relaygroup.com</A></FONT>
><FONT
>COLOR="#222255">>__________________________________________________________
></FONT>
><FONT COLOR="#222255">></FONT>
>
>____________________________________________________________________
>Get your own FREE, personal Netscape WebMail account today
>at <A TARGET=nonlocal
>HREF="/external/http://webmail.netscape.com">http://webmail.netscape.com</A>.
