Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Hole in Netscape Enterprise Server 3.0

From: FPL () AUSYS SE (Pihl Fredrik)
Date: Fri, 24 Apr 1998 18:36:47 +0100

Hi,

You will have to protect your Web applications using the Wildcard protection
feature. It's mentioned at Netscape's Developer site in the Technotes/FAQ,
http://developer.netscape.com. Deny acces to all *.web requests.

Best regards,
Fredrik Pihl






Fredrik Pihl
AU-System Network / Internet Göteborg
Ebbe Lieberathsgatan 18 A
Box 16017  S-412 21  Göteborg SWEDEN
Phone: +46 31 335 58 10  Fax: +46 31 335 89 81
Mailto: fredrik.pihl () ausys se
http://www.ausys.se/



-----Original Message-----
From: Daragh Malone [SMTP:daragh_malone () ACCURIS IE]
Sent: den 24 april 1998 13:48
To:   BUGTRAQ () NETSPACE ORG
Subject:      Security Hole in Netscape Enterprise Server 3.0

     Hi All,
        I don't know if there is a patch for this, or if this is already
     well known, but here it is. A simple workaround follows.

     Problem: Livewire Applications are downloadable. (Passwords are
     unencrypted)

     Platform: DEC UNIX 4.0D (possibly all Unixes/NT)

     Description:
        Livewire applications are basically server-side Javascript
     applications that behave similiar to Active Server Pages. The main
     difference is that Livewire applications are compiled to a
proprietary
     byte executable that contains all the pages in the application.
        These applications are generated with .web extensions. In their
own
     example, the game hangman is accessed as
     http://www.myserver.com/hangman/ and the application is hangman.web.
     So accessing http://www.myserver.com/hangman/hangman.web will
download
     the application to your browser.
        The second problem lies in the fact that all the pages are
     readable, and that database username/passwords are unencrypted,
unless
     specifically encrypted in your application.
        The two problems combined can compromise security. This problem
     occurs regardless of Web directory permissions from a server level.

     Quick Workaround:
        Rename the .web application to something cryptic like G6r$79k9.web
     and make sure that the directory it's in isn't a document directory.

     Rant:
        I verified this problem on a few Internet sites, which leads to
the
     question: If you verify a web security problem (remember .. at the
end
     of Active Server Pages) is this technically illegal.
        If anyone knows if this problem has been fixes I'd really
     appreciate it.


        Thanks,
        D.Malone.
Previous By Date Next
Previous By Thread Next

Current thread: