Re: Security Hole in Netscape Enterprise Server 3.0

From: Pihl Fredrik (FPLat_private)
Date: Fri Apr 24 1998 - 10:36:47 PDT

Next message: Chris Evans: "Re: smbmount problem?"

Previous message: Matthew Frederick: "Re: Security Hole in Netscape Enterprise Server 3.0"
Maybe in reply to: Daragh Malone: "Security Hole in Netscape Enterprise Server 3.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

You will have to protect your Web applications using the Wildcard protection
feature. It's mentioned at Netscape's Developer site in the Technotes/FAQ,
http://developer.netscape.com. Deny acces to all *.web requests.

Best regards,
Fredrik Pihl






Fredrik Pihl
AU-System Network / Internet Göteborg
Ebbe Lieberathsgatan 18 A
Box 16017  S-412 21  Göteborg SWEDEN
Phone: +46 31 335 58 10  Fax: +46 31 335 89 81
Mailto: fredrik.pihlat_private
http://www.ausys.se/


> -----Original Message-----
> From: Daragh Malone [SMTP:daragh_maloneat_private]
> Sent: den 24 april 1998 13:48
> To:   BUGTRAQat_private
> Subject:      Security Hole in Netscape Enterprise Server 3.0
>
>      Hi All,
>         I don't know if there is a patch for this, or if this is already
>      well known, but here it is. A simple workaround follows.
>
>      Problem: Livewire Applications are downloadable. (Passwords are
>      unencrypted)
>
>      Platform: DEC UNIX 4.0D (possibly all Unixes/NT)
>
>      Description:
>         Livewire applications are basically server-side Javascript
>      applications that behave similiar to Active Server Pages. The main
>      difference is that Livewire applications are compiled to a
> proprietary
>      byte executable that contains all the pages in the application.
>         These applications are generated with .web extensions. In their
> own
>      example, the game hangman is accessed as
>      http://www.myserver.com/hangman/ and the application is hangman.web.
>      So accessing http://www.myserver.com/hangman/hangman.web will
> download
>      the application to your browser.
>         The second problem lies in the fact that all the pages are
>      readable, and that database username/passwords are unencrypted,
> unless
>      specifically encrypted in your application.
>         The two problems combined can compromise security. This problem
>      occurs regardless of Web directory permissions from a server level.
>
>      Quick Workaround:
>         Rename the .web application to something cryptic like G6r$79k9.web
>      and make sure that the directory it's in isn't a document directory.
>
>      Rant:
>         I verified this problem on a few Internet sites, which leads to
> the
>      question: If you verify a web security problem (remember .. at the
> end
>      of Active Server Pages) is this technically illegal.
>         If anyone knows if this problem has been fixes I'd really
>      appreciate it.
>
>
>         Thanks,
>         D.Malone.

Next message: Chris Evans: "Re: smbmount problem?"
Previous message: Matthew Frederick: "Re: Security Hole in Netscape Enterprise Server 3.0"
Maybe in reply to: Daragh Malone: "Security Hole in Netscape Enterprise Server 3.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:12 PDT