OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags
From: Doug Monroe (monroeLUCENT.COM)
Date: Wed Mar 22 2000 - 07:47:50 CST

From what I've observed, this '?wp' behavior does NOT affect servers that DENY
directory listings.

This problem was NOT observed on NT4/SP4/NS3.6.3 with a "deny directory
listings"
entry (in obj.conf) of:
  Service method="(GET|HEAD)"
          path="d:/htdocs/go-away.html"
          type="magnus-internal/directory"
          fn="send-error"
Similarly not a problem on Solaris2.6/NS3.6.3 with:
  Service method="(GET|HEAD)"
          path="/home/htdocs/go-away.html"
          type="magnus-internal/directory"
          fn="send-error"

if you leave off the the path="" arg, the server still just errors with 500 on
a '?wp' request...so it would seem to me that this '?wp' problem is only a
problem for those who do not disable directory listing.

$cat go-away.html
<html>
<head>
<title>bzzzttt</title>
</head>
<body bgcolor="#ffffff">
browsing thru directories is not allowed.
</body>
</html>

FWIW- WebPublishing was never enabled on either host. 

--
D Monroe

amonotod wrote:
>
> Hello all,
>
> Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
> WebPublishing has never (not even just to try it out) been enabled.  All
> commands (plus more that don't work) listed in bulletin are contained in the
> file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll".
>
> regards,
> amonotod
>
> >__________________________________________________________
> >
> >      S.A.F.E.R. Security Bulletin 000317.EXP.1.5
> >__________________________________________________________
> >
> >
> >TITLE    : Netscape Enterprise Server and '?wp' tags
> >DATE     : March 17, 2000
> >NATURE   : Remote user can obtain list of directories on Netscape
> >Enterprise Server
> >AFFECTED : Netscape Enterprise Server 3.x
> >
> >PROBLEM:
> >
> >Problem exists in Netscape Enterprise Server that can allow remote user
> >to obtain list of directories and subdirectories on the server.
> >
> >DETAILS:
> >
> >Netscape Enterprise Server with 'Web Publishing' enabled can be tricked
> >into displaying the list of directories and subdirectories, if user
> >supplies certain 'tags'. For example:
> >
> >http://home.netscape.com/?wp-cs-dump
> >
> >will reveal the contents of the root directory on that web server.
> >Contents of subdirectories can be obtained as well. Other tags that can
> >be used are:
> >
> >?wp-ver-info
> >?wp-html-rend
> >?wp-usr-prop
> >?wp-ver-diff
> >?wp-verify-link
> >?wp-start-ver
> >?wp-stop-ver
> >?wp-uncheckout
> >
> >FIXES:
> >
> >Disable 'Web Publishing'. It is safe to assume that 'Web Publishing' is
> >not the only feature that will 'activate' this problem. We have found
> >few servers running Netscape Enterprise Server that did not have 'Web
> >Publishing' enabled, but were still vulnerable to this problem. Until
> >Netscape makes an official response and clarify what is the cause of
> >this problem, it is advised that you test your server against this
> >vulnerability, and if you are vulnerable, try to disable certain
> >features and services.
> >
> >Netscape has been contacted on many occasions, but has failed to
> >respond.
> >
> >__________________________________________________________
> >
> >   S.A.F.E.R. - Security Alert For Entreprise Resources
> >          Copyright (c) 2000 The Relay Group
> > http://safer.siamrelay.com  ---  securityrelaygroup.com
> >__________________________________________________________
> >