COMMAND
netscape
SYSTEMS AFFECTED
Netscape with SuiteSpot
PROBLEM
Following is based on Secirax Security Advisory. Affected
versions found are Netscape SuiteSpot running on:
* Netscape Enterprise/3.5.1C
* Netscape Enterprise/3.5.1G
* Netscape Enterprise/3.5 1I
* Netscape Enterprise/3.6 SP1
* Netscape Enterprise/3.6 SP2
* Netscape Enterprise/3.6 SP3
* Netscape Fasttrack/3.0.1
* Netscape Fasttrack/3.0.2
* Netscape Messaging Server/3.01
* Netscape Messaging Server/3.54
* Netscape Messaging Server/3.56
* Netscape Messaging Server/3.6
* Netscape Messaging Server/4.1
* Netscape Messaging Server/4.15
* Netscape Messaging Server/4.15p1
* Netscape Messaging Server/4.15p2
* Netscape Collabra Server/3.53
* Netscape Collabra Server/3.54
The administration server is a web-based server that contains the
Java and JavaScript forms you use to configure your Netscape
SuiteSpot servers. The authentication username and password for
this service are kept in a directory in the server root, readable
by default.
The administration server is installed when you first install
SuiteSpot server. For remote logon, it authenticates by
validating the password prompt input with the administration
server password file. This password file is kept in a local
directory within the SuiteSpot server. The SuiteSpot superuser
password file is located at the following path:
http://www.server.com/admin-serv/config/admpw
or
http://<installDir>/admin-serv/config/admpw
It would not be visible via HTTP like that unless you decided to
create an httpd instance with <installDir> as its document root.
For iPlanet Web Server 4.0 and 4.1, try
<installDir>/https-admserv/config/
The admpwd file is in the "user:password" format, with an
encrypted password field which can potentially be compromized by
a brute force attack. This user has full access to all features
in the administration server and sees all forms in the
administration server except the Users & Groups forms since these
require in a valid account in an LDAP server such as Netscape
Directory Server. However, this depends on your specific
configuration. Note that Netscape has always recommended that the
admin server run as root so it can do things like start httpd
instances (setuid() + binding to low ports like 80 and 443).
Anyone who obtains the Netscape admin password can fairly easily
create a new httpd instance running as root, enable CGI there,
and fairly quickly own the whole server (or at least the chroot()
jail if you bothered/succeeded to chroot Netscape).
The Netscape-Enterprise manual page on Administration Server
specifies that it is recommended that you write-protect the admpwd
file since this is not done by default. Therefore this leaves a
security hole which allows third party unauthorized users to
potentially gain full access to the administration server console.
The administration server will reside on the port which you
decided upon installing SuiteSpot.
SOLUTION
1. Set write-protect permissions on the admpw file located at
<server_root>/admin-serv/config/admpw
2. Shut down the administration server in the following ways:
A. Go to Server Manager and choose Admin Preferences|Shutdown.
Click "Shut down the Administration Server".
B. On a UNIX system:
- To stop the administration server, go to your server root
and type "./stop-admin".
- To start or restart the server, type "./start-admin" and
"./restart-admin" respectively.
C. On NT:
- To stop the administration server, go to Control
Panel|Services. Select the "Netscape Administration
Server" and click Stop. To restart it, click Start.