`Date: Mon, 12 Oct 1998 13:20:11 +0200
From: Jorgen Smith <[email protected]>
To: [email protected]
Subject: PageServices bug in Netscape Enterprise server
Hi,
Just in case it has not already been reported (my guess is that it has, and
that a lid is put on this till Netscape works it out), I just received the
following note (source unknown) saying that there is a bug in Netscape
Enterprise Server that lets you browse the contents of any directory.
The bug is effected by adding the parameter ?PageServices. It does not
circumvent directory security, but internal pages or directories secured by
their names only are open prey.
****
Check out the e.g. <URL:http://www.nasa.gov/?PageServices>. This is one
list of servers affected/not affected by the bug:
> site works? server
> www.nasa.gov yes Netscape-Enterprise/3.5.1
> www.netscape.com no Netscape-Enterprise/2.01
> merchant.netscape.com no Netscape-Enterprise/3.0L
> www.boisecascade.com yes Netscape-Enterprise/3.5.1B
> www.home.net no Netscape-Enterprise/3.5.1
> www.pdi-corp.com yes Netscape-Enterprise/3.5.1
> www.anl.gov yes Netscape-Enterprise/3.5.1G
> www.aqmd.gov no Netscape-Enterprise/2.01
> www.bop.gov yes? Netscape-Enterprise/3.01
>
> That last one is different. If you click on "Web Publisher" you
> will eventually get a java file browser for the web site. I'm not
> sure if it will let you write files (it certainly seems so) but I
> didn't want to try.
****
What we are anxious to know is whether any patches are available. Browsing
through Netscape's help and developer pages did not bring enlightenment.
Regards,
Jørgen Smith
Programmer, Leo Burnett Interaktiv A/S
--------------------------------------------------------------------
Date: Mon, 12 Oct 1998 13:53:28 +0200
From: Jorgen Smith <[email protected]>
To: [email protected]
Subject: Re: PageServices bug in Netscape Enterprise server
I wrote:
> What we are anxious to know is whether any patches are available.
> Browsing through Netscape's help and developer pages did not
> bring enlightenment.
We found a workaround in setting Directory Indexing to "none"; the default
setting is "fancy". In NSES 3.5.1, this is done in Document Preferences
under Content Managment in the Admin interface.
After setting DI to none, the client will receive a "Server Error" message
instead of the directory listing.
Regards,
Jørgen Smith
Programmer, Leo Burnett Interaktiv A/S
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation