Vendor: Netscape
Product: Enterprise Server 3.5.1 (and others?)
Specifics: Netscape Web Publisher

Vulnerability Briefing: A very wide problem with ACL
settings and default 
settings with Netscape Enterprise Server (Publisher).   

Description:
With the default installation of Netscape Enterprise Server
3.5.1 (and 
others possibly), a java based package called the "Netscape
Web Publisher" 
is included. This program is web based and is also linked on
the default 
index which comes with Enterprise Server.

After running an extensive search of the default index
content, I have 
found various sites running Publisher, with a poor
application 
of the ACL (Access Control Lists) options of Enterprise
Server (about 90% 
of the sites).

Such actions that an intruder could apply would be the
search of web index 
content, web root directory listing, and the
viewing/downloading of 
"non-public" files in the web root.

Here are descriptors which provides a criteria of what
should be 
considered vulnerable:

-The default Enterprise Server index is public
-http://www.poorperms.null/publisher is publicly available
-Proper and more secure ACL selections

The third descriptor is one quite important. With Enterprise
Server, I 
believe that you have the option of picking USER/PASS
authentication vs. 
certificate based authentication. Many of these sites pick
the later, 
certificate authentication. An intruder could simply use a
proxy and/or 
use other cloaking techniques, accept the certificate, and
continue on to 
use the Publisher. 

*Solution*
The solution(s) is one that is parted, where both Netscape
and the 
customer/administrator could take part to provide solutions
to this on 
going problem.

Fixes: 
-Remove the default index and any default programs you do
not use (such as 
Publisher, and Publisher Search)
-If Publisher must be used, USER/PASS methods are highly
recommended 
rather than certificates
-Use the ACL settings more efficiently (directory perms,
etc.)

For more information on how to take control of ACL options,
refer to the 
help directory which comes with Enterprise Server, or visit
the vendor's 
website at http://www.netscape.com.


Adios,
 Charles Chear