OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags
From: Peter W (peterwUSA.NET)
Date: Wed Mar 22 2000 - 17:33:40 CST


At 5:48pm Mar 22, 2000, Vanja Hrustic wrote:

> amonotod wrote:

> > Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
> > WebPublishing has never (not even just to try it out) been enabled.

Same here. If directory browsing is enabled, wp-cs-dump gives a listing.

> - ACLs can not stop this problem; looks like NES parses '?wp' tags even
> before it is checked against ACLs (tried under Solaris)

More likely the ACL's don't match on query string information. (ACL's
usually trigger on ppath, which does not include the query string.)

> The only way to disable this 'feature' was to edit file ns-httpd.so
> (under Solaris), and modify strings inside; for example, to change
> '?wp-cs-dump' into '?ab-cd-efg' - or whatever.

Editing DLL's. Eek.

The attached NSAPI code was tested on NES 3.63 on Solaris and seems to
stop the problem on the server we can't disable directory browsing on. I'd
love to talk off-list with others working on this to see if ther are other
things this doesn't catch, you know, weird URI-encoding, etc. If anyone
has more info on how to explout the tags, that would be nice, too.

Netscape, if you're listening: this is a workaround; I'd like a fix. ;-)

-Peter

http://www.bastille-linux.org/ : working towards more secure Linux systems