COMMAND

    asp & cfml

SYSTEMS AFFECTED

    Netscape Entreprise, O'Reilly Website, Commerce Builder (WinNT/95/98)

PROBLEM

    Programmers at San  Diego Source, the  online news service  of the
    San  Diego  Daily  Transcript,  have  discovered  a  security hole
    affecting Web  server software  from both  Netscape Communications
    and software and book publisher O'Reilly & Associates.

    The bug, allowing  for the display  of sensitive programming  code
    being served  by Windows  NT and  Windows 95  versions of Netscape
    Enterprise and  O'Reilly &  Associates' WebSite  Professional, can
    be used by hackers to glean information considered by  programmers
    to be invisible. The bug  could allow for easy display  of private
    documents  featuring  database  passwords,  user  names  and  even
    programming codes  that make  events occur  but are  not meant for
    public perusal.

    Bob  Denny,  lead  developer  for  O'Reilly  & Associates' WebSite
    Professional project, said  the new bug  stems from the  fact that
    users can  pass a  file name  containing extra  characters to  the
    NT/95/98 operating system. Windows  will accept the file  name and
    open a file by the same name, except with the trailing  characters
    removed.   More info  about bug  will be   available after  proper
    patches  have  been  made.   The  bug,  however,  is  similar to a
    Microsoft Internet Information Server glitch.

    The  bug  is  especially  important  to  developers because entire
    applications -- even entire sites  -- are built using Cold  Fusion
    markup language (CFML) and ASP.

    The details: Tack a %20 on to the end of a URL.

SOLUTION

    The 2.3 release of WebSite Pro is scheduled somewhere around  July
    1998.  Fix is implemented.  Netscape will issue fix with  the next
    point  release  of  Enterprise,  due  to  ship  in September.  For
    Netscape, go to:

        http://help.netscape.com/filelib.html#20

    A lot of times, developers will encrypt a Cold Fusion  application
    if  they  sell  it  so  that  the  source  code can't be reused or
    modified,  but  encrypting  an  entire  site  can  be difficult to
    manage.  Any bug fixes or  modifications would have to be made  to
    an unencrypted file, moved  and re-encrypted. When you're  dealing
    with a large number of files, this can seem like a tedious process
    until you get used to it.  However, seems to be the only way now.