Bugtraq mailing list archives
Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags
From: reb () TACO COM (Phydeaux)
Date: Wed, 22 Mar 2000 20:21:09 -0500
At 08:44 PM 3/22/2000 +0000, you wrote:
This has nothing to do with the web publishing feature in NES but rather the "Directory Indexing" function. It seems SAFER found options a client can pass to the server in order to use this feature. Because many people were unaware of this function, it seems like a vulnerability.
Yes -- but this "feature" lists the content of directories even when there is a valid index file in that directory. In such a case the server is supposed to display the index file, not a directory listing. Clearly, the observed behaviour is not what most system administrators would expect. reb reb@taco,com
To turn it off via the Admin Interface: Select your seb site. Then select Content Management->Document Preferences. Under the item titled "Directory Indexing" select none. To turn it off in the config: Look for this option in obj.conf: Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common" Set fn equal to: fn="send-error" Thanks, Mike NetworkCommand.com Hello all, Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though WebPublishing has never (not even just to try it out) been enabled. All commands (plus more that don't work) listed in bulletin are contained in the file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll". regards, amonotod <FONT COLOR="#222255">>__________________________________________________________ </FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> S.A.F.E.R. Security Bulletin 000317.EXP.1.5</FONT> <FONT COLOR="#222255">>__________________________________________________________ </FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>TITLE : Netscape Enterprise Server and '?wp' tags</FONT> <FONT COLOR="#222255">>DATE : March 17, 2000</FONT> <FONT COLOR="#222255">>NATURE : Remote user can obtain list of directories on Netscape</FONT> <FONT COLOR="#222255">>Enterprise Server</FONT> <FONT COLOR="#222255">>AFFECTED : Netscape Enterprise Server 3.x</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>PROBLEM:</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>Problem exists in Netscape Enterprise Server that can allow remote user</FONT> <FONT COLOR="#222255">>to obtain list of directories and subdirectories on the server.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>DETAILS:</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>Netscape Enterprise Server with 'Web Publishing' enabled can be tricked</FONT> <FONT COLOR="#222255">>into displaying the list of directories and subdirectories, if user</FONT> <FONT COLOR="#222255">>supplies certain 'tags'. For example:</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">><A TARGET=nonlocal HREF="/external/http://home.netscape.com/?wp-cs-dump">http://home.netscape. com/?wp-cs-dump</A></FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>will reveal the contents of the root directory on that web server.</FONT> <FONT COLOR="#222255">>Contents of subdirectories can be obtained as well. Other tags that can</FONT> <FONT COLOR="#222255">>be used are:</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>?wp-ver-info</FONT> <FONT COLOR="#222255">>?wp-html-rend</FONT> <FONT COLOR="#222255">>?wp-usr-prop</FONT> <FONT COLOR="#222255">>?wp-ver-diff</FONT> <FONT COLOR="#222255">>?wp-verify-link</FONT> <FONT COLOR="#222255">>?wp-start-ver</FONT> <FONT COLOR="#222255">>?wp-stop-ver</FONT> <FONT COLOR="#222255">>?wp-uncheckout</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>FIXES:</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>Disable 'Web Publishing'. It is safe to assume that 'Web Publishing' is</FONT> <FONT COLOR="#222255">>not the only feature that will 'activate' this problem. We have found</FONT> <FONT COLOR="#222255">>few servers running Netscape Enterprise Server that did not have 'Web</FONT> <FONT COLOR="#222255">>Publishing' enabled, but were still vulnerable to this problem. Until</FONT> <FONT COLOR="#222255">>Netscape makes an official response and clarify what is the cause of</FONT> <FONT COLOR="#222255">>this problem, it is advised that you test your server against this</FONT> <FONT COLOR="#222255">>vulnerability, and if you are vulnerable, try to disable certain</FONT> <FONT COLOR="#222255">>features and services.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>Netscape has been contacted on many occasions, but has failed to</FONT> <FONT COLOR="#222255">>respond.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">>__________________________________________________________ </FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> S.A.F.E.R. - Security Alert For Entreprise Resources</FONT> <FONT COLOR="#222255">> Copyright (c) 2000 The Relay Group</FONT> <FONT COLOR="#222255">> <A TARGET=nonlocal HREF="/external/http://safer.siamrelay.com"><A HREF="http://safer.siamrelay.com</A">http://safer.siamrelay.com</A</A>> --- <A HREF="mailto:security () relaygroup com">security () relaygroup com</A></FONT> <FONT COLOR="#222255">>__________________________________________________________ </FONT> <FONT COLOR="#222255">></FONT> ____________________________________________________________________ Get your own FREE, personal Netscape WebMail account today at <A TARGET=nonlocal HREF="/external/http://webmail.netscape.com"><A HREF="http://webmail.netscape.com</A">http://webmail.netscape.com</A</A>>.
Current thread:
- [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags Vanja Hrustic (Mar 17)
- <Possible follow-ups>
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags amonotod (Mar 21)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Vanja Hrustic (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Peter W (Mar 22)
- Subtle data corruption of TCP streams Wietse Venema (Mar 22)
- Re: Subtle data corruption of TCP streams Guido van Rooij (Mar 24)
- Local Linux Crash Javor Ninov (Mar 24)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Vanja Hrustic (Mar 22)
- Local root compromise in GNQS 3.50.6 and 3.50.7 Philippe Andersson (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Doug Monroe (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags jobs () NETWORKCOMMAND COM (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags Phydeaux (Mar 22)