Bugtraq mailing list archives
Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags
From: amonotod () NETSCAPE NET (amonotod)
Date: Tue, 21 Mar 2000 10:17:42 CST
Hello all, Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though WebPublishing has never (not even just to try it out) been enabled. All commands (plus more that don't work) listed in bulletin are contained in the file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll". regards, amonotod
__________________________________________________________ S.A.F.E.R. Security Bulletin 000317.EXP.1.5 __________________________________________________________ TITLE: Netscape Enterprise Server and '?wp' tags DATE: March 17, 2000 NATURE: Remote user can obtain list of directories on Netscape Enterprise Server AFFECTED: Netscape Enterprise Server 3.x PROBLEM: Problem exists in Netscape Enterprise Server that can allow remote user to obtain list of directories and subdirectories on the server. DETAILS: Netscape Enterprise Server with 'Web Publishing' enabled can be tricked into displaying the list of directories and subdirectories, if user supplies certain 'tags'. For example: http://home.netscape.com/?wp-cs-dump will reveal the contents of the root directory on that web server. Contents of subdirectories can be obtained as well. Other tags that can be used are: ?wp-ver-info ?wp-html-rend ?wp-usr-prop ?wp-ver-diff ?wp-verify-link ?wp-start-ver ?wp-stop-ver ?wp-uncheckout FIXES: Disable 'Web Publishing'. It is safe to assume that 'Web Publishing' is not the only feature that will 'activate' this problem. We have found few servers running Netscape Enterprise Server that did not have 'Web Publishing' enabled, but were still vulnerable to this problem. Until Netscape makes an official response and clarify what is the cause of this problem, it is advised that you test your server against this vulnerability, and if you are vulnerable, try to disable certain features and services. Netscape has been contacted on many occasions, but has failed to respond. __________________________________________________________ S.A.F.E.R. - Security Alert For Entreprise Resources Copyright (c) 2000 The Relay Group http://safer.siamrelay.com --- security () relaygroup com __________________________________________________________
____________________________________________________________________ Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
Current thread:
- [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags Vanja Hrustic (Mar 17)
- <Possible follow-ups>
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags amonotod (Mar 21)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Vanja Hrustic (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Peter W (Mar 22)
- Subtle data corruption of TCP streams Wietse Venema (Mar 22)
- Re: Subtle data corruption of TCP streams Guido van Rooij (Mar 24)
- Local Linux Crash Javor Ninov (Mar 24)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Vanja Hrustic (Mar 22)
- Local root compromise in GNQS 3.50.6 and 3.50.7 Philippe Andersson (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Doug Monroe (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags jobs () NETWORKCOMMAND COM (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags Phydeaux (Mar 22)