A third vulnerability in the Web Publishing tags in Netscape Enterprise server could allow listing of directories on the server even if index.html files are in place.
Note: The red stoplight on this page indicates the highest possible severity level for this vulnerability. Check the bullet next to the link to this tutorial on the previous page to determine the actual severity level. If the bullet is red, then the vulnerability could be exploited by an attacker. If the bullet is brown, then SAINT was unable to determine whether or not the server was vulnerable.
The first vulnerability is a buffer overflow condition in the procedure which handles the GET method. GET is the method used by a web browser to request a page from the server. By sending a very long GET request to the server, an attacker could cause a buffer to overflow, thus overwriting the stack. A specially crafted request could be used to execute arbitrary code on the server.
All versions of Netscape FastTrack Server, and Enterprise Server prior to 3.6 with service pack 3, are vulnerable.
The second vulnerability is in the HTTP Basic Authentication procedure. It affects servers which contain any pages that are password protected. An attacker could go to a password protected page and cause a buffer overflow by entering a very long username or password. A specially crafted string could be used to execute arbitrary code on the server.
Any Netscape Enterprise or FastTrack server containing password protected pages is vulnerable. Although Service Pack 3 for Enterprise Server 3.6 fixes the vulnerability in Enterprise Server, the Administration Server is still vulnerable.
If Directory Indexing is enabled on a Netscape Enterprise server, then Web Publishing tags can be used by a remote user to view directory listings on the server, even if there is an index.html file in the directory.
CVE 1999-0751
Note: Although the GET buffer overflow could be fixed by a patch which
was released for Enterprise Server 3.6 service pack 2, the
patch itself introduced another buffer overflow condition, and
is not a recommended solution.
The workaround for the vulnerability in the Web Publishing tags is to disable Directory Indexing. To disable Directory Indexing, look in the obj.conf file for the following lines:
Service method="(GET|HEAD)"Change the third line to:
type="magnus-internal/directory"
fn="index-common"
fn="send-error"
X-Force advisory 39 discusses the vulnerability in the HTTP Basic Authentication procedure.
See the Bugtraq postings for more information on the Web Publishing tags vulnerability and the solution.