COMMAND

    Netscape Enterprise Server

SYSTEMS AFFECTED

    Netscape Enterprise Server

PROBLEM

    Problem exists in Netscape Enterprise Server that can allow remote
    user  to  obtain  list  of  directories  and subdirectories on the
    server.

    Netscape Enterprise  Server with  'Web Publishing'  enabled can be
    tricked into displaying the list of directories and subdirectories
    if user supplies certain 'tags'. For example:

        http://home.netscape.com/?wp-cs-dump

    will reveal the contents of the root directory on that web server.
    Contents of subdirectories  can be obtained  as well.   Other tags
    that can be used are:

        ?wp-ver-info
        ?wp-html-rend
        ?wp-usr-prop
        ?wp-ver-diff
        ?wp-verify-link
        ?wp-start-ver
        ?wp-stop-ver
        ?wp-uncheckout

    NES 3.6SP3 on IRIX is also vulnerable.

SOLUTION

    The  only  way  to  disable  this  'feature'  was  to  edit   file
    ns-httpd.so  (under  Solaris),  and  modify  strings  inside;  for
    example, to change '?wp-cs-dump' into '?ab-cd-efg' - or whatever.

    The attached  NSAPI code  was tested  on NES  3.63 on  Solaris and
    seems  to  stop  the  problem  too  on the server we can't disable
    directory browsing on.

    #include "base/pblock.h"	/* pblock_findval */
    #include "frame/http.h"		/* PROTOCOL_NOT_FOUND */
    
    /*
	    PW-no-wpleak.so
    
       Usage:
       At the beginning of obj.conf:
          Init fn=load-modules shlib=PW_no_wpleak.so funcs="PW-no-wpleak"
       Inside an object in obj.conf (preferably at the top of the default object):
          PathCheck fn=PW-no-wpleak
    
       The PathCheck gives a 404 for any request containing known WebPublisher tags.
	    (i.e. with a QUERY_STRING beginning with a known tag)
     */
    
    NSAPI_PUBLIC int PW_no_wpleak(pblock *pb, Session *sn, Request *rq)
    {
        /* working variables */
        char *requestQuery = pblock_findval("query", rq->reqpb);
        char *webPubTags[] = {
		    "wp-cs-dump",
    		    "wp-ver-info",
		    "wp-html-rend",
		    "wp-usr-prop",
		    "wp-ver-diff",
		    "wp-verify-link",
		    "wp-start-ver",
		    "wp-stop-ver",
		    "wp-uncheckout",
		    NULL
        };
        int i = 0;
    
        /* bail out if we've got nothing to work with */
        if (!requestQuery) return REQ_NOACTION;
    
        /* check the query string against known tags */
        while ( webPubTags[i] != NULL ) {
    	    if (strstr(requestQuery,webPubTags[i++]) == requestQuery ) {
		    /* found a match, throw a 404 error */
		    protocol_status(sn, rq, PROTOCOL_NOT_FOUND, NULL);
    		    return REQ_ABORTED;
	    }
        }
    
        /* looks OK */
        return REQ_NOACTION;
    }

    ACLs can not stop this  problem; looks like NES parses  '?wp' tags
    even before it is checked against ACLs (tried under Solaris).   It
    seems  SAFER  found  options  a  client  can pass to the server in
    order to use  this feature.   Because many people  were unaware of
    this function, it seems like a vulnerability.

    To turn it off via the Admin Interface, select your seb site, then
    select Content Management->Document  Preferences.  Under  the item
    titled "Directory Indexing" select none.

    To turn it off in the config, look for this option in obj.conf:

        Service method="(GET|HEAD)" type="magnus-internal/directory"
        fn="index-common"

    Set fn equal to: fn="send-error"

    This "feature" however lists the content of directories even  when
    there is a  valid index file  in that directory.   In such a  case
    the server is supposed to display the index file, not a  directory
    listing.  Clearly, the observed behaviour is not what most  system
    administrators would expect.