Just turn off direcory indexing on the affected servers. then you just get a "Server Error" message John Sweeney Network Professionals, Inc. -----Original Message----- From: jon <realizeat_private> To: BUGTRAQat_private <BUGTRAQat_private> Date: Monday, August 17, 1998 1:03 PM Subject: Fw: [NTSEC] Netscape Server Security Hole >FWD from ntsecurity. See ntsecurity archive for original postings: >[begin] >I am running Web servers using three different servers, Netscape Enterprise >2.0 on Solaris 2.5.1, Apache 1.2b11 on BSDI 3.0 and Netscape Enterprise >3.5.1 on NT 4.0 Server w/128-bit SP3. In testing these for the >/?PageServices query, only the Netscape Enterprise 3.5.1 server running on >NT [This is not limited to NT. See below, last post...]produce a directory >listing of the docs root. > > >The Page Services function is a menu item under View in Netscape Navigator >4.xx and Communicator. All one has to do is load up a Web page, go to View >on the menu bar and see it Page Services is activated. If it is, select it >and you'll get back a directory listing of the Web server docs root. If >there are subdirectories in this root, you can see a listing of all the >files in these as well. > >I have yet to look at Netscape's site for any news about this problem, but >for now I have turned off the Web server using Enterprise 3.5.1. > >>Date: Thu, 13 Aug 1998 23:01:04 +1000 >>From: "Simon Johnson" <simon.johnsonat_private> >>Subject: Re: [NTSEC] Netscape Server Security Hole? >> >>TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomoat_private >>Contact ntsecurity-ownerat_private for help with any problems! >>- ------------------------------------------------------------------------ - >-- >> >>Hello, >> >>In relation to the /?PageServices query, I think its a misconfiguration of >>the Web server. I have just finished testing 10 different Web servers for >>this query. The following servers were not vulnerable: >> >>Netscape Enterprise 2.01 >>Netscape Commerce 1.12 >>Oracle Web Listener 4.0.6.2.0 Enterprise Edition >>Apache 1.2.1. >>Apache 1.2.5. >>Apache/1.3.1 (Unix) mod_perl/1.15 >>Apache/1.2.6 >>Domino Go Webserver 4.6 >> >>The Web servers mentioned in Tim Ehrhart's original message are running the >>following: >> >>Netscape Enterprise 2.01 - www.symantec.com >>Netscape Enterprise 3.5.1 - redirect.cnet.com >> >>However I did find that two servers that produced a "Server Error" message. >>They were: >> >>Netscape Enterprise 3.5.1C >>Netscape Enterprise 3.5 For NetWare >> >>I have not tested these two servers to see why they crashed. Nor am I >>planning to. >> >>:-) >> >>Best regards, >> >>Simon Johnson >>Technical Director >>Shake Communications >>Experts in Internet and Information Security >>http://www.shake.net >> >>------------------------------ > >-----Original Message----- >From: Matthew Patton <pattonat_private> >To: ntsecurityat_private <ntsecurityat_private> >Date: Saturday, August 15, 1998 8:48 PM >Subject: Re: [NTSEC] Netscape Server Security Hole > > >: >:TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomoat_private >:Contact ntsecurity-ownerat_private for help with any problems! >:-------------------------------------------------------------------------- - >: >:>/?PageServices query, only the Netscape Enterprise 3.5.1 server running on >:>NT produce a directory listing of the docs root. >: >:It's potentially WAY worse than that folks. On a wild guess I hit a certain >:miltary related think tank's website. They run Enterprise 3.5.1 on Solaris. >:(Netcraft is quite obliging with a list of other sites that run the same >:version...) >: >:What I found was absolutely incredible! The moron who set the site up >:didn't separate the webcontent from the server configuration. So here I am >:grabbing his user and administrative password files, the works. What a >:flaming looser. >: >:Yes, he's been notified. Thankfully, of the handful of 3.5.1's I've hit >:most of them just give up a directory listing of the webroot and that's it. >: >:This PageServices thing should be a BugTraq item if it isn't already. It's >:not limited to just the NT versions. >: >:-------- >:"You need only reflect that one of the best ways to get yourself a >: reputation as a dangerous citizen these days is to go around repeating >: the very phrases which our founding fathers used in their struggle for >: independence," - Charles A. Beard (American historian) >: >[end] >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:53 PDT