Lucene search
K

netscape-enterprise-pageservices.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 39 Views

Netscape Enterprise Server has a bug allowing directory browsing using ?PageServices parameter.

Code
`Date: Mon, 12 Oct 1998 13:20:11 +0200  
From: Jorgen Smith <[email protected]>  
To: [email protected]  
Subject: PageServices bug in Netscape Enterprise server  
  
Hi,  
  
Just in case it has not already been reported (my guess is that it has, and  
that a lid is put on this till Netscape works it out), I just received the  
following note (source unknown) saying that there is a bug in Netscape  
Enterprise Server that lets you browse the contents of any directory.  
  
The bug is effected by adding the parameter ?PageServices. It does not  
circumvent directory security, but internal pages or directories secured by  
their names only are open prey.  
  
****  
Check out the e.g. <URL:http://www.nasa.gov/?PageServices>. This is one  
list of servers affected/not affected by the bug:  
  
> site works? server  
> www.nasa.gov yes Netscape-Enterprise/3.5.1  
> www.netscape.com no Netscape-Enterprise/2.01  
> merchant.netscape.com no Netscape-Enterprise/3.0L  
> www.boisecascade.com yes Netscape-Enterprise/3.5.1B  
> www.home.net no Netscape-Enterprise/3.5.1  
> www.pdi-corp.com yes Netscape-Enterprise/3.5.1  
> www.anl.gov yes Netscape-Enterprise/3.5.1G  
> www.aqmd.gov no Netscape-Enterprise/2.01  
> www.bop.gov yes? Netscape-Enterprise/3.01  
>  
> That last one is different. If you click on "Web Publisher" you  
> will eventually get a java file browser for the web site. I'm not  
> sure if it will let you write files (it certainly seems so) but I  
> didn't want to try.  
****  
  
What we are anxious to know is whether any patches are available. Browsing  
through Netscape's help and developer pages did not bring enlightenment.  
  
  
Regards,  
  
Jørgen Smith  
Programmer, Leo Burnett Interaktiv A/S  
  
--------------------------------------------------------------------  
  
Date: Mon, 12 Oct 1998 13:53:28 +0200  
From: Jorgen Smith <[email protected]>  
To: [email protected]  
Subject: Re: PageServices bug in Netscape Enterprise server  
  
I wrote:  
  
> What we are anxious to know is whether any patches are available.  
> Browsing through Netscape's help and developer pages did not  
> bring enlightenment.  
  
We found a workaround in setting Directory Indexing to "none"; the default  
setting is "fancy". In NSES 3.5.1, this is done in Document Preferences  
under Content Managment in the Admin interface.  
  
After setting DI to none, the client will receive a "Server Error" message  
instead of the directory listing.  
  
  
Regards,  
Jørgen Smith  
Programmer, Leo Burnett Interaktiv A/S  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation