Other vulnerabilities in Netscape Enterprise server could allow listing of directories on the server even if index.html files are in place, or allow the exposure of source code.
Note: The red stoplight on this page indicates the highest possible severity level for this vulnerability. Check the bullet next to the link to this tutorial on the previous page to determine the actual severity level. If the bullet is red, then the vulnerability could be exploited by an attacker to gain read or write access or to execute commands. If the bullet is yellow, then the vulnerability could be exploited to gather information which could assist in an attack. If the bullet is brown, then it could not be determined whether or not the server was vulnerable.
The first vulnerability is a buffer overflow condition in the procedure which handles the GET method. GET is the method used by a web browser to request a page from the server. By sending a very long GET request to the server, an attacker could cause a buffer to overflow, thus overwriting the stack. A specially crafted request could be used to execute arbitrary code on the server.
All versions of Netscape FastTrack Server, and Enterprise Server prior to 3.6 with service pack 3, are vulnerable.
The second vulnerability is in the HTTP Basic Authentication procedure. It affects servers which contain any pages that are password protected. An attacker could go to a password protected page and cause a buffer overflow by entering a very long username or password. A specially crafted string could be used to execute arbitrary code on the server.
Any Netscape Enterprise or FastTrack server containing password protected pages is vulnerable. Although Service Pack 3 for Enterprise Server 3.6 fixes the vulnerability in Enterprise Server, the Administration Server is still vulnerable.
If Directory Indexing is enabled on a Netscape Enterprise server, then Web Publishing tags can be used by a remote user to view directory listings on the server, even if there is an index.html file in the directory.
CAN 2001-0250
If Web Publishing is enabled, a remote user can obtain a
directory listing on the web server using the INDEX
request method.
By appending a hex-encoded space character (%20) to a URL, Netscape Enterprise Server 3.0, Netscape Enterprise Server 3.51, and Netscape FastTrack Server 3.01 can be made to reveal the source code of any script on the web server, instead of running the script. This vulnerability does not grant immediate access to an attacker, but could reveal passwords or other sensitive information that could be used to plan an attack.
CVE 1999-0751
Note: Although the GET buffer overflow could be fixed by a patch which
was released for Enterprise Server 3.6 service pack 2, the
patch itself introduced another buffer overflow condition, and
is not a recommended solution.
The workaround for the vulnerability in the Web Publishing tags is to disable Directory Indexing. To disable Directory Indexing, look in the obj.conf file for the following lines:
Service method="(GET|HEAD)"Change the third line to:
type="magnus-internal/directory"
fn="index-common"
fn="send-error"The workaround for the INDEX request vulnerability is to disable INDEX requests. Be aware that this may affect the functionality of Web Publishing.
X-Force advisory 39 discusses the vulnerability in the HTTP Basic Authentication procedure.
See the Bugtraq postings for more information on the Web Publishing tags vulnerability and the solution.
See S.A.F.E.R. Bulletin 010124.EXP.1.11 for more information on the INDEX request problem.
See Allaire Security Bulletin 99-06 for information on the source code exposure vulnerability.