COMMAND

    Netscape Web Publisher

SYSTEMS AFFECTED

    Who runs that...

PROBLEM

    Tim Jones  posted following.   This is  not a  HOLE.   By  default
    Netscape Enterprise/3.5.1I  installs ALOT  of shit  that you  will
    never need or use.   But like most things  people dont use  people
    dont  remove  them.   A  major  thing  that  netscape  installs is
    Netscape  Web  Publisher.   Which  you  can  access  VIA http.  By
    default its /publisher/.  Like on www.fbi.gov/publisher/ click  on
    Start Web Publisher.   Then after the  java app load  it will  ask
    you for a Username and Password.   Well just leave them blank  and
    hit ENTER..   Now this  is a  bad idea  because anyone  could just
    brute force  the User  Name and  password.   Then after  you do or
    don't enter a user name a  password it will show you ALL  files in
    the web  dir.   Now this  is also  a bad  idea because some people
    leave like  oh password  lists, user  names, c  c info  in the web
    dir.  All of  which you could access  from the web if  you had the
    info  on  were  it  was.   So  in  short  its  a BAD idea to leave
    /publisher/ on netscape on.  You should remove /publisher/.   Most
    people dont give a shit!

    This is another way to  use the ?PageServices problem on  Netscape
    Servers...  ?PageServices  may  list  directories  from  root  (ie
    www.server.com/?PageServices) to specific directories, inside  the
    server (ie www.server.com/html/?PageServices).  This might  happen
    (directory content listing)  even if the  Admin wants the  default
    page in a directory to be index.htm or whatever...  Now, this  may
    help a malicious evil darksideoftheforce cracker to get some  nice
    information like the content of a /stats/ directory with raw  logs
    stored inside...  You might  find in  there some  IPs folowed by a
    user name.  This is first step  of course.  For the next step,  go
    to Defcon and atend the social engineering contest.

    Now what's  worse about  this ?PageServices  or /publisher/ stuff?
    Well, on a misconfigured server, you can try

        http://www.server.com/?pageservices

    (nah, it's not the same, mind the caps) and you might access to  a
    remote admin page that is not  exactly the same as the one  showed
    in Tim Jones story above [the result of www.server.com/publisher/]
    You can see  an image here  if you really  are interested in  this
    stuff:

        http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/lafinanceendirect.htm

    Now  what?   Well  on  this  page,  you  can get access to the Web
    Publisher, to the  Access control tool  and more... Ok,  you still
    need a user  ID and a  password to publish  something... Sometimes
    you'll get the User ID in  the field "Owner" of the Web  Publisher
    window. Second step:  againn, syntax error  goto 110 errr.  No...,
    go to  Defcon and  listen carrefully  to what  will be said during
    the social engineering contest...  And if none of these works, you
    also have the /publisher/ trick.

    And that is the  interesting part of Tim's  post.  Because if  the
    Admin (he's smart...) has disabled the access to the remote  admin
    page trough /?pageservices,  you can try  /publisher/ -- It  might
    work in some cases...

    C code did not work out well, so here is the TCL version.  Usage:

        ./netscape-test.tcl -i <host>

    or edit the file  "check_hosts" add your own  hosts to check in  a
    list then..

        ./netscape-test.tcl

    check_hosts:

        www.example.com
        www.exa mple.net
        www.example.org

    netscape-test.tcl

    #!/usr/bin/tclsh
    #
    # By Nicholas W. Blasgen, 1999
    #
    # Thanks to Tim Jones <cybersysop813@HOTMAIL.COM> for the BugTraq post
    #
    # Distributed under GPL licence
    #
    
    proc doConnect { host } {
	    set s [socket $host 80]
	    puts $s "GET /publisher/ HTTP/1.0"
	    puts $s ""
	    flush $s
	    foreach b [split [read $s] "\n"] {
		    if { $b == "" } {continue}
		    set object [lindex $b 0]
		    if {$object == "Server:" } {
			    set version [split [lindex $b 1] "//"]
			    if { [lindex $version 0] != "Netscape-Enterprise" } { puts "${host}: Not Netscape-Enterprise"; exit }
			    set version [split [lindex $version 1] "."]
			    set version "[lindex $version 0].[lindex $version 1]"
			    if { $version > 3.5 } { puts "${host}: New Version..."; return }
		    }
    
		    if {$object == "Last-modified:" } {
			    set year [lindex $b 4]
			    if { $year < 1998 } { puts "${host}: Looks like this might have a problem"; return }
		    }
	    }
	    puts "${host}: No problem"
	    return
    }
    
    
    set nohost 0
    
    if { [lindex $argv 0] == "-i" } {
	    set nohost 1
	    set host [lindex $argv 1]
	    doConnect $host
	    exit
    } else {
	    set fd [open "check_hosts" r]
	    foreach a [split [read $fd] "\n"] {
		    if { $a == "" } { continue }
		    doConnect $a
	    }
    }
    
    
    
    #
    # HTTP/1.1 200 OK
    # Server: Netscape-Enterprise/3.5.1I
    # Date: Mon, 08 Nov 1999 02:55:57 GMT
    # Content-type: text/html
    # Link: <http://www.fbi.gov/publisher/?PageServices>; rel="PageServices"
    # Last-modified: Wed, 31 Dec 1997 02:44:03 GMT
    # Content-length: 11421
    # Accept-ranges: bytes
    # Connection: close
    #

SOLUTION

    This is related  to the /?PageServices  issue - turn  off indexing
    and it should resolve the problem.