[6597] in bugtraq
Re: Security Hole in Netscape Enterprise Server 3.0
daemon@ATHENA.MIT.EDU (Pihl Fredrik)
Fri Apr 24 16:07:26 1998
Date: Fri, 24 Apr 1998 18:36:47 +0100
Reply-To: Pihl Fredrik <FPL@AUSYS.SE>
From: Pihl Fredrik <FPL@AUSYS.SE>
X-To: Daragh Malone <daragh_malone@ACCURIS.IE>
To: BUGTRAQ@NETSPACE.ORG
Hi,
You will have to protect your Web applications using the Wildcard prote=
ction
feature. It's mentioned at Netscape's Developer site in the Technotes/F=
AQ,
http://developer.netscape.com. Deny acces to all *.web requests.
Best regards,
Fredrik Pihl
Fredrik Pihl
AU-System Network / Internet G=F6teborg
Ebbe Lieberathsgatan 18 A
Box 16017 S-412 21 G=F6teborg SWEDEN
Phone: +46 31 335 58 10 Fax: +46 31 335 89 81
Mailto: fredrik.pihl@ausys.se
http://www.ausys.se/
> -----Original Message-----
> From: Daragh Malone [SMTP:daragh_malone@ACCURIS.IE]
> Sent: den 24 april 1998 13:48
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Security Hole in Netscape Enterprise Server 3.0
>
> Hi All,
> I don't know if there is a patch for this, or if this is alre=
ady
> well known, but here it is. A simple workaround follows.
>
> Problem: Livewire Applications are downloadable. (Passwords are
> unencrypted)
>
> Platform: DEC UNIX 4.0D (possibly all Unixes/NT)
>
> Description:
> Livewire applications are basically server-side Javascript
> applications that behave similiar to Active Server Pages. The ma=
in
> difference is that Livewire applications are compiled to a
> proprietary
> byte executable that contains all the pages in the application.
> These applications are generated with .web extensions. In the=
ir
> own
> example, the game hangman is accessed as
> http://www.myserver.com/hangman/ and the application is hangman.=
web.
> So accessing http://www.myserver.com/hangman/hangman.web will
> download
> the application to your browser.
> The second problem lies in the fact that all the pages are
> readable, and that database username/passwords are unencrypted,
> unless
> specifically encrypted in your application.
> The two problems combined can compromise security. This probl=
em
> occurs regardless of Web directory permissions from a server lev=
el.
>
> Quick Workaround:
> Rename the .web application to something cryptic like G6r$79k=
9.web
> and make sure that the directory it's in isn't a document direct=
ory.
>
> Rant:
> I verified this problem on a few Internet sites, which leads =
to
> the
> question: If you verify a web security problem (remember .. at t=
he
> end
> of Active Server Pages) is this technically illegal.
> If anyone knows if this problem has been fixes I'd really
> appreciate it.
>
>
> Thanks,
> D.Malone.
