ZSH Advisory - Netscape WebPublisher Allows Directory Listing and Access. Netscape Webpublisher is an addon to Netscape's Enterprise webserver which allows remote file modifications, uploads and downloads. A third party user can access the WebPublisher via downloading a number of java applets and the webserver's directory structure without having a valid account on the system. Netscape v3.5.1 / 3.6 SP1-3 under solaris are vulnerable.
fe012892a4ac1f20d6bb25a0c0a171ed2caeab44aa5c8dc575e5b034b62084e2
----------------
[ ZSH ] Advisory
Netscape WebPublisher Allows Directory Listing and Access
[ March 11, 2000 ] [ AD#000311-1 ]
----------------
Brief Description :
Netscape Webpublisher is an addon to Netscape's Enterprise webserver which allows remote
filemodifications, uploads and downloads. A third party user can access the WebPublisher via
downloading a number of java applets and the webserver's directory structure without
having a valid account on the system.
Vulnerable Platforms :
Solaris
Vulnerable Versions :
Netscape-Enterprise/3.5.1C
Netscape-Enterprise/3.5.1G
Netscape-Enterprise/3.5 1I
Netscape-Enterprise/3.6 SP1
Netscape-Enterprise/3.6 SP2
Netscape-Enterprise/3.6 SP3
Vulnerability Description :
Netscape's WebPublisher software, is an addon to Netscape-Enterprise servers, which
allows file uploads and downloads, deleting and changing permissions on files. The
WebPublisher installs by default in the /publisher directory on the webserver. This file is
accessible for any third party user who can then install a local copy of the webpublisher or
either run the remote version and gain access to the system.
By doing a GET on /publisher we get a page that is titled "WebPublisher Home Page" and
that contains some information about webpublisher. On the page there is also a Start
Webpublisher button, which when pressed will download the WebPublisher Java Applet set.
The default size for this download is 677k. It will then autostart the Java Applets and ask you
to grant three electronic certificates ( developed by VeriSign ). When granted the server will
query you for a username. You can input any username in here that you want. It doesn't need
to be a valid system username. The applet will continue and open the WebPublisher window
itself which will prompt you a directory listing of the webserver along with a menu at the top.
This access violation lets you see the virtual directory root of the webserver. The menubar
at the top lets you upload and download files and directories, modify files, delete and move
them. These requests do ask for a password which can be brute forced. Nonetheless,
WebPublisher is not supposed to allow directory listing and access (to open directories) to
third party unauthorized users.
Solution :
#1 Uninstall Webpublisher or set directory permissions on the /publisher directory.
#2 Apply Access Control to WebPublisher through the access control module.
by f0bic (f0bic@deadprotocol.org)
[ Full Advisory : http://zsh.stupidphat.com/advisory.cgi?000311-1 ]
----------------
-- [ http://zsh.stupidphat.com ] --
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed