Hi, You will have to protect your Web applications using the Wildcard protection feature. It's mentioned at Netscape's Developer site in the Technotes/FAQ, http://developer.netscape.com. Deny acces to all *.web requests. Best regards, Fredrik Pihl Fredrik Pihl AU-System Network / Internet Göteborg Ebbe Lieberathsgatan 18 A Box 16017 S-412 21 Göteborg SWEDEN Phone: +46 31 335 58 10 Fax: +46 31 335 89 81 Mailto: fredrik.pihlat_private http://www.ausys.se/ > -----Original Message----- > From: Daragh Malone [SMTP:daragh_maloneat_private] > Sent: den 24 april 1998 13:48 > To: BUGTRAQat_private > Subject: Security Hole in Netscape Enterprise Server 3.0 > > Hi All, > I don't know if there is a patch for this, or if this is already > well known, but here it is. A simple workaround follows. > > Problem: Livewire Applications are downloadable. (Passwords are > unencrypted) > > Platform: DEC UNIX 4.0D (possibly all Unixes/NT) > > Description: > Livewire applications are basically server-side Javascript > applications that behave similiar to Active Server Pages. The main > difference is that Livewire applications are compiled to a > proprietary > byte executable that contains all the pages in the application. > These applications are generated with .web extensions. In their > own > example, the game hangman is accessed as > http://www.myserver.com/hangman/ and the application is hangman.web. > So accessing http://www.myserver.com/hangman/hangman.web will > download > the application to your browser. > The second problem lies in the fact that all the pages are > readable, and that database username/passwords are unencrypted, > unless > specifically encrypted in your application. > The two problems combined can compromise security. This problem > occurs regardless of Web directory permissions from a server level. > > Quick Workaround: > Rename the .web application to something cryptic like G6r$79k9.web > and make sure that the directory it's in isn't a document directory. > > Rant: > I verified this problem on a few Internet sites, which leads to > the > question: If you verify a web security problem (remember .. at the > end > of Active Server Pages) is this technically illegal. > If anyone knows if this problem has been fixes I'd really > appreciate it. > > > Thanks, > D.Malone.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:12 PDT