---------------- [ ZSH ] Advisory Netscape WebPublisher Allows Directory Listing and Access [ March 11, 2000 ] [ AD#000311-1 ] ---------------- Brief Description : Netscape Webpublisher is an addon to Netscape's Enterprise webserver which allows remote filemodifications, uploads and downloads. A third party user can access the WebPublisher via downloading a number of java applets and the webserver's directory structure without having a valid account on the system. Vulnerable Platforms : Solaris Vulnerable Versions : Netscape-Enterprise/3.5.1C Netscape-Enterprise/3.5.1G Netscape-Enterprise/3.5 1I Netscape-Enterprise/3.6 SP1 Netscape-Enterprise/3.6 SP2 Netscape-Enterprise/3.6 SP3 Vulnerability Description : Netscape's WebPublisher software, is an addon to Netscape-Enterprise servers, which allows file uploads and downloads, deleting and changing permissions on files. The WebPublisher installs by default in the /publisher directory on the webserver. This file is accessible for any third party user who can then install a local copy of the webpublisher or either run the remote version and gain access to the system. By doing a GET on /publisher we get a page that is titled "WebPublisher Home Page" and that contains some information about webpublisher. On the page there is also a Start Webpublisher button, which when pressed will download the WebPublisher Java Applet set. The default size for this download is 677k. It will then autostart the Java Applets and ask you to grant three electronic certificates ( developed by VeriSign ). When granted the server will query you for a username. You can input any username in here that you want. It doesn't need to be a valid system username. The applet will continue and open the WebPublisher window itself which will prompt you a directory listing of the webserver along with a menu at the top. This access violation lets you see the virtual directory root of the webserver. The menubar at the top lets you upload and download files and directories, modify files, delete and move them. These requests do ask for a password which can be brute forced. Nonetheless, WebPublisher is not supposed to allow directory listing and access (to open directories) to third party unauthorized users. Solution : #1 Uninstall Webpublisher or set directory permissions on the /publisher directory. #2 Apply Access Control to WebPublisher through the access control module. by f0bic (f0bic@deadprotocol.org) [ Full Advisory : http://zsh.stupidphat.com/advisory.cgi?000311-1 ] ---------------- -- [ http://zsh.stupidphat.com ] --