netscape-enterprise-pageservices.txt

1999-08-17T00:00:00
ID PACKETSTORM:15238
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 12 Oct 1998 13:20:11 +0200  
From: Jorgen Smith <jorgen.smith@LEOBURNETT.NO>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: PageServices bug in Netscape Enterprise server  
  
Hi,  
  
Just in case it has not already been reported (my guess is that it has, and  
that a lid is put on this till Netscape works it out), I just received the  
following note (source unknown) saying that there is a bug in Netscape  
Enterprise Server that lets you browse the contents of any directory.  
  
The bug is effected by adding the parameter ?PageServices. It does not  
circumvent directory security, but internal pages or directories secured by  
their names only are open prey.  
  
****  
Check out the e.g. <URL:http://www.nasa.gov/?PageServices>. This is one  
list of servers affected/not affected by the bug:  
  
> site works? server  
> www.nasa.gov yes Netscape-Enterprise/3.5.1  
> www.netscape.com no Netscape-Enterprise/2.01  
> merchant.netscape.com no Netscape-Enterprise/3.0L  
> www.boisecascade.com yes Netscape-Enterprise/3.5.1B  
> www.home.net no Netscape-Enterprise/3.5.1  
> www.pdi-corp.com yes Netscape-Enterprise/3.5.1  
> www.anl.gov yes Netscape-Enterprise/3.5.1G  
> www.aqmd.gov no Netscape-Enterprise/2.01  
> www.bop.gov yes? Netscape-Enterprise/3.01  
>  
> That last one is different. If you click on "Web Publisher" you  
> will eventually get a java file browser for the web site. I'm not  
> sure if it will let you write files (it certainly seems so) but I  
> didn't want to try.  
****  
  
What we are anxious to know is whether any patches are available. Browsing  
through Netscape's help and developer pages did not bring enlightenment.  
  
  
Regards,  
  
Jørgen Smith  
Programmer, Leo Burnett Interaktiv A/S  
  
--------------------------------------------------------------------  
  
Date: Mon, 12 Oct 1998 13:53:28 +0200  
From: Jorgen Smith <jorgen.smith@LEOBURNETT.NO>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: Re: PageServices bug in Netscape Enterprise server  
  
I wrote:  
  
> What we are anxious to know is whether any patches are available.  
> Browsing through Netscape's help and developer pages did not  
> bring enlightenment.  
  
We found a workaround in setting Directory Indexing to "none"; the default  
setting is "fancy". In NSES 3.5.1, this is done in Document Preferences  
under Content Managment in the Admin interface.  
  
After setting DI to none, the client will receive a "Server Error" message  
instead of the directory listing.  
  
  
Regards,  
Jørgen Smith  
Programmer, Leo Burnett Interaktiv A/S  
`