Bugtraq mailing list archives
Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags
From: peterw () USA NET (Peter W)
Date: Wed, 22 Mar 2000 18:33:40 -0500
At 5:48pm Mar 22, 2000, Vanja Hrustic wrote:
amonotod wrote:
Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though WebPublishing has never (not even just to try it out) been enabled.
Same here. If directory browsing is enabled, wp-cs-dump gives a listing.
- ACLs can not stop this problem; looks like NES parses '?wp' tags even before it is checked against ACLs (tried under Solaris)
More likely the ACL's don't match on query string information. (ACL's usually trigger on ppath, which does not include the query string.)
The only way to disable this 'feature' was to edit file ns-httpd.so (under Solaris), and modify strings inside; for example, to change '?wp-cs-dump' into '?ab-cd-efg' - or whatever.
Editing DLL's. Eek. The attached NSAPI code was tested on NES 3.63 on Solaris and seems to stop the problem on the server we can't disable directory browsing on. I'd love to talk off-list with others working on this to see if ther are other things this doesn't catch, you know, weird URI-encoding, etc. If anyone has more info on how to explout the tags, that would be nice, too. Netscape, if you're listening: this is a workaround; I'd like a fix. ;-) -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: PW_no_wpleak.c </UL>
Current thread:
- [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags Vanja Hrustic (Mar 17)
- <Possible follow-ups>
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags amonotod (Mar 21)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Vanja Hrustic (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Peter W (Mar 22)
- Subtle data corruption of TCP streams Wietse Venema (Mar 22)
- Re: Subtle data corruption of TCP streams Guido van Rooij (Mar 24)
- Local Linux Crash Javor Ninov (Mar 24)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Vanja Hrustic (Mar 22)
- Local root compromise in GNQS 3.50.6 and 3.50.7 Philippe Andersson (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags Doug Monroe (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags jobs () NETWORKCOMMAND COM (Mar 22)
- Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp' tags Phydeaux (Mar 22)