COMMAND

    Netscape WebPublisher

SYSTEMS AFFECTED

    Netscape Enterprise with WebPublisher

PROBLEM

    Following is based on [ ZSH ] Advisory.  Netscape Webpublisher  is
    an addon  to Netscape's  Enterprise webserver  which allows remote
    filemodifications, uploads and downloads.  A third party user  can
    access the WebPublisher via  downloading a number of  java applets
    and the  webserver's directory  structure without  having a  valid
    account on the system.

    This was tested on  Solaris and it was  found to be vulnerable  on
    following versions:

        - Netscape-Enterprise/3.5.1C
        - Netscape-Enterprise/3.5.1G
        - Netscape-Enterprise/3.5 1I
        - Netscape-Enterprise/3.6 SP1
        - Netscape-Enterprise/3.6 SP2
        - Netscape-Enterprise/3.6 SP3

    Netscape's    WebPublisher    software,    is    an    addon    to
    Netscape-Enterprise  servers,  which   allows  file  uploads   and
    downloads,  deleting  and  changing  permissions  on  files.   The
    WebPublisher installs  by default  in the  /publisher directory on
    the webserver.  This file  is accessible for any third  party user
    who can then  install a local  copy of the  webpublisher or either
    run the remote version and gain access to the system.

    By  doing  a  GET  on  /publisher  we  get  a  page that is titled
    "WebPublisher Home Page" and that contains some information  about
    webpublisher.   On the  page there  is also  a Start  Webpublisher
    button, which  when pressed  will download  the WebPublisher  Java
    Applet set.  The default size for this download is 677k.  It  will
    then  autostart  the  Java  Applets  and  ask  you  to grant three
    electronic  certificates  (developed  by  VeriSign).  When granted
    the server  will query  you for  a username.   You can  input  any
    username in here  that you want.   It doesn't need  to be a  valid
    system  username.    The  applet  will   continue  and  open   the
    WebPublisher  window  itself  which  will  prompt  you a directory
    listing of the webserver along with a menu at the top.

    This access violation lets you  see the virtual directory root  of
    the  webserver.   The  menubar  at  the  top  lets  you upload and
    download  files  and  directories,  modify  files, delete and move
    them.  These  requests do ask  for a password  which can be  brute
    forced.   Nonetheless,  WebPublisher  is  not  supposed  to  allow
    directory listing and access (to open directories) to third  party
    unauthorized users.

SOLUTION

    #1 Uninstall  Webpublisher  or  set  directory permissions on  the
       /publisher directory.
    #2 Apply Access Control to WebPublisher through the access control
       module.