COMMAND

    Netscape Enterprise Server

SYSTEMS AFFECTED

    Systems running Netscape Enterprise Server 3.0

PROBLEM

    Daragh  Malone   found  following.    Livewire  applications   are
    basically server-side Javascript applications that behave similiar
    to Active  Server Pages.   The main  difference is  that  Livewire
    applications are  compiled to  a proprietary  byte executable that
    contains all the pages in the application.  These applications are
    generated with .web  extensions.  In  their own example,  the game
    hangman is accessed as

        http://www.myserver.com/hangman/

    and the application is hangman.web.  So accessing

        http://www.myserver.com/hangman/hangman.web

    will download the application to your browser.  The second problem
    lies  in  the  fact  that  all  the  pages  are readable, and that
    database username/passwords  are unencrypted,  unless specifically
    encrypted in your  application.  These  two problems combined  can
    compromise  security.   This  problem  occurs  regardless  of  Web
    directory permissions from a server level.

SOLUTION

    You will have to protect your Web applications using the  Wildcard
    protection feature. It's mentioned at Netscape's Developer site in
    the Technotes/FAQ at:

        http://developer.netscape.com.

    Deny acces to all  *.web requests.  You  may also rename the  .web
    application to something cryptic  like G6r$79k9.web and make  sure
    that the  directory it's  in isn't  a document  directory.  Better
    workaround is  by  putting the actual web   file in  a   protected
    directory above the website's directory (more secure than renaming
    file).   The  problem  with  the  default  setup (and the renaming
    system)  is  that  the  .web  file  lies  in  a  publicly-readable
    directory.  Put it somewhere where the OS can protect it instead.