Vendor: Netscape Product: Enterprise Server 3.5.1 (and others?) Specifics: Netscape Web Publisher Vulnerability Briefing: A very wide problem with ACL settings and default settings with Netscape Enterprise Server (Publisher). Description: With the default installation of Netscape Enterprise Server 3.5.1 (and others possibly), a java based package called the "Netscape Web Publisher" is included. This program is web based and is also linked on the default index which comes with Enterprise Server. After running an extensive search of the default index content, I have found various sites running Publisher, with a poor application of the ACL (Access Control Lists) options of Enterprise Server (about 90% of the sites). Such actions that an intruder could apply would be the search of web index content, web root directory listing, and the viewing/downloading of "non-public" files in the web root. Here are descriptors which provides a criteria of what should be considered vulnerable: -The default Enterprise Server index is public -http://www.poorperms.null/publisher is publicly available -Proper and more secure ACL selections The third descriptor is one quite important. With Enterprise Server, I believe that you have the option of picking USER/PASS authentication vs. certificate based authentication. Many of these sites pick the later, certificate authentication. An intruder could simply use a proxy and/or use other cloaking techniques, accept the certificate, and continue on to use the Publisher. *Solution* The solution(s) is one that is parted, where both Netscape and the customer/administrator could take part to provide solutions to this on going problem. Fixes: -Remove the default index and any default programs you do not use (such as Publisher, and Publisher Search) -If Publisher must be used, USER/PASS methods are highly recommended rather than certificates -Use the ACL settings more efficiently (directory perms, etc.) For more information on how to take control of ACL options, refer to the help directory which comes with Enterprise Server, or visit the vendor's website at http://www.netscape.com. Adios, Charles Chear