COMMAND

    JHTML

SYSTEMS AFFECTED

    Netscape Enterprise Server

PROBLEM

    Mnemonix  found   following.   Netscape   Enterprise  Server   has
    introduced JHTML,  the Netscape  equivalent of  Microsoft's Active
    Server  Pages.   On  poorly  configured  sites  it  is possible to
    retrieve the unparsed source of  these JHTML files.  This  problem
    affect  3.5.1  and  possibly  other  versions  such  as 3.6 on all
    platforms such as Windows NT and Solaris.

    Netscape Enterprise Server has  a built-in search engine  which is
    operational by default.   This search engine  uses Pattern  (.pat)
    files to  regulate and  format the  results.   These pattern files
    can be found in the /search-ui/text directory.  The search  engine
    can be  configured by  editing these  pattern files  to return the
    whole  document  in  the  search  results  - however, this must be
    turned on by the Admin by making modifications to a "collection's"
    dblist.ini to point the NS-tocrec-pat to the HTML-tocrec-demo1.pat
    pattern file as per the Netscape documentation.

    It is possible,  however, to build  a special search  request that
    will return the whole the  document in the search results  without
    this feature having to be turned on.  In this way we can  retrieve
    the source of JHTML files and other scripts.

        http://no-such-server/search?NS-search-page=results&NS-query=A&NS-collection=B&NS-tocrec-pat=/text/HTML-tocrec-demo1.pat

    where A is the query e.g. the word "that" and B is the  collection
    e.g.   "Web+Publish" or  "web_htm".   Being fair  to Netscape,  in
    their  documentation  is  states  that  HTML-tocrec-demo1.pat only
    displays HTML files - though this implies that if the file is  not
    HTML, which JHTML is not just quite, it won't be displayed.   This
    obviously is wrong.  Another way is to get the source is to  issue
    the request:

        http://no-such-server/search?NS-search-page=document&NS-rel-doc-name=/path/to/indexed/file.jhtml&NS-query=URI!=''&NS-collection=A

    where  A  is  the  collection  without  having  to  go through the
    rigmarole of playing around with HTML-tocrec-demo1.pat in the URL.

SOLUTION

    The  solution  to  this  problem  is  to store all JHTML files (or
    other scripts) in a directory that  is not indexed and be wary  of
    the default  Web Publishing  collection.   If you  don't need  the
    search capability of NSE then disable it.