Netscape FastTrack get Directory Listing

1998-01-16T00:00:00
ID OSVDB:122
Type osvdb
Reporter OSVDB
Modified 1998-01-16T00:00:00

Description

Vulnerability Description

Netscape FastTrack contains a flaw that allows a remote user to obtain a directory listing of files regardless of the presence of "index.html" (or similar default files). The issue is due to FastTrack not properly handling lower case web requests. By requesting a "get" instead of "GET", an attacker can bypass the displaying of default files and see a raw listing of files in a directory.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable open browsing completely.

Short Description

Netscape FastTrack contains a flaw that allows a remote user to obtain a directory listing of files regardless of the presence of "index.html" (or similar default files). The issue is due to FastTrack not properly handling lower case web requests. By requesting a "get" instead of "GET", an attacker can bypass the displaying of default files and see a raw listing of files in a directory.

References:

Nessus Plugin ID:10156 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_1/0092.html ISS X-Force ID: 1731 CVE-1999-0239 Bugtraq ID: 481