This problem has been around in "Livewire" since its inception. We solved it more securely by putting the actual web file in a protected directory above the website's directory. It makes testing a bit more of a pain (relative URL's have to be mucked with) but it's certainly more secure than renaming the file. The problem with the default setup (and the renaming system) is that the .web file lies in a publicly-readable directory. Put it somewhere where the OS can protect it instead. We really panicked when we first realized this -- we had, of course, database usernames and passwords in the .web file! [BTW, please note that I don't subscribe to BugTraq -- I received this through another source who was just passing it along to me.] ----------------------------------------------------------------- Matthew Frederick USWeb Corporation Director of Technology Phoenix Office Associate Partner mfrederickat_private ----------------------------------------------------------------- USWeb Corporation A Strategic Partner for the Information Age > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Daragh > Malone > Sent: Friday, April 24, 1998 4:48 AM > To: BUGTRAQat_private > Subject: Security Hole in Netscape Enterprise Server 3.0 > > > Hi All, > I don't know if there is a patch for this, or if this is already > well known, but here it is. A simple workaround follows. > > Problem: Livewire Applications are downloadable. (Passwords are > unencrypted) > > Platform: DEC UNIX 4.0D (possibly all Unixes/NT) > > Description: > Livewire applications are basically server-side Javascript > applications that behave similiar to Active Server Pages. The main > difference is that Livewire applications are compiled to a proprietary > byte executable that contains all the pages in the application. > These applications are generated with .web extensions. In their own > example, the game hangman is accessed as > http://www.myserver.com/hangman/ and the application is hangman.web. > So accessing http://www.myserver.com/hangman/hangman.web will download > the application to your browser. > The second problem lies in the fact that all the pages are > readable, and that database username/passwords are unencrypted, unless > specifically encrypted in your application. > The two problems combined can compromise security. This problem > occurs regardless of Web directory permissions from a server level. > > Quick Workaround: > Rename the .web application to something cryptic like G6r$79k9.web > and make sure that the directory it's in isn't a document directory. > > Rant: > I verified this problem on a few Internet sites, which leads to the > question: If you verify a web security problem (remember .. at the end > of Active Server Pages) is this technically illegal. > If anyone knows if this problem has been fixes I'd really > appreciate it. > > > Thanks, > D.Malone. > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:11 PDT