Hi, This is another way to use the ?PageServices problem on Netscape Servers... ?PageServices may list directories from root (ie www.server.com/?PageServices) to specific directories, inside the server (ie www.server.com/html/?PageServices). This might happen (directory content listing) even if the Admin wants the default page in a directory to be index.htm or whatever... Now, this may help a malicious evil darksideoftheforce cracker to get some nice information like the content of a /stats/ directory with raw logs stored inside... You might find in there some IPs folowed by a user name. This is first step of course. For the next step, go to Defcon and atend the social engineering contest. Now what's worse about this ?PageServices or /publisher/ stuff Well, on a misconfigured server, you can try www.server.com/?pageservices (nah, it's not the same, mind the caps) and you might access to a remote admin page that is not exactly the same as the one showed in Tim Jones post [ie the result of www.server.com/publisher/]. [You can see an image here if you really are interested in this stuff: http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/lafinanceendirect.ht m ] Now what? Well on this page, you can get access to the Web Publisher, to the Access control tool and more... Ok, you still need a user ID and a password to publish something... Sometimes you'll get the User ID in the field "Owner" of the Web Publisher window. Second step: againn, syntax error goto 110 errr. No..., go to Defcon and listen carrefully to what will be said during the social engineering contest... And if none of these works, you also have the /publisher/ trick. :) And that is the interesting part of Tim's post. Because if the Admin (he's smart...) has disabled the access to the remote admin page trough /?pageservices, you can try /publisher/ -- It might work in some cases... :)) Now... I want to make Tim more confortable... Me and my beloved friends at Kitetoa have mailed tons of rootat_private, postmasterat_private and webmasterat_private about their problems with the ?PageServices, ?pageservices, and Web Publisher... And I'm not even talking of the famous eEye Bug on IIS... you just can't imagine how many french servers are at risk. Well... What's their awnser? Nothing. What do they do about it? Nothing. Just like the FBI I guess... The only awnser we got [months after our initial mail] was from a **very** famous internet discount broker [the Web Publisher loaded a _vti_pvt directory with a users.pwd file in it]. Their awnser was: this is untrue and ... It's not a risk for our server.... But they fixed that within some hours It took months before they admited the risk was (very) high. In the first place they said they would sue us. One must love those guys to tell them they have install problems... Heh... K. -----Message d'origine----- De : Tim Jones <cybersysop813at_private> À : BUGTRAQat_private <BUGTRAQat_private> Date : lundi 8 novembre 1999 00:21 Objet : Netscape Web Publisher > This is not a HOLE. By default(I think)netscape -Enterprise/3.5.1I installs ALOT of shit that you will never need or use. But like most things people dont use people dont remove them. A major thing that netscape installs is Netscape Web Publisher. Which you can access VIA http. By default its /publisher/. Like on www.fbi.gov/publisher/ click on Start Web Publisher. Then after the java app load it will ask you for a Username and Password. Well just leave them blank and hit ENTER.. Now this is a bad idea because anyone could just brute force the User Name and password. Then after you do or dont enter a user name a password it will show you ALL files in the web dir. Now this is also a bad idea because some people leave like oh password lists,user names, cc info in the web dir. All of which you could access from the web if you had the info on were it was. So in short its a BAD idea to leave /publisher/ on netscape on. You should remove /publisher/. Most people dont give a shit like www.fbi.gov/publisher/ that you can look at all there files but there stupid so whatever.. > >I emailed netscape,fbi.gov about 2 weeks ago about this and I have got no reply.. So maybe they might fix it now. > >--flipz >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:59 PDT