COMMAND

    Netscape

SYSTEMS AFFECTED

    - Netscape Certificate Management System 4.2 (MS Windows NT 4.0 version)
    - Netscape Directory Server 4.12 (MS windows NT 4.0 version)

PROBLEM

    Following is based on CORE SDI Security Advisory  CORE-2000-10-26.
    Netscape  (iPlanet)   Certificate  Management   System,   Netscape
    Directory  Server  and   Netscape  Administration  Servers   share
    components which suffer from two notable vulnerabilities.

    1. Path Traversal Vulnerability
    ================================
    The first vulnerability is a classic path traversal  vulnerability
    whereby a user can supply  a crafted URL and access  files outside
    the web root directory.  This will result in the remote user being
    able to read/download any files which the server itself (based  on
    it's permissions) may access.

    2. Admininistrator password is stored in clear text
    ===================================================
    The 'Admin' password for these packages is stored in plaintext  in
    admin-serv\config\adm.conf.   This  in  addition  to  the previous
    vulnerability will  allow anyone  to obtain  the password remotely
    and perform  admin duties  if net  access to  the admin  server is
    available.

    These vulnerabilities were found by Emiliano Kargieman and Agustin
    Kato Azubel from CORE SDI S.A., Buenos Aires, Argentina.

    Several components installed by CMS  4.2 for Windows NT 4.0  allow
    an  attacker  to  read/download  any  file  outside  the  web root
    directory provided that access to any of the following servers  is
    given:

        - The Agent services server on port 8100/tcp
        - The  End Entity  services server  on port  443/tcp (This  is
          normally accessable for any user over SSL)
        - The Administrator services server listening on a random port
          choosen during the installation process, or on port 8200  if
          configured to do so (not the default behavior).

    By  using  '\../'  in  the  URI  an  attacker  can  get out of the
    server's root directory and open any file.  The following  example
    demostrates the problem using the  End Entity services server.   A
    request for

        https://server/ca/\../\../\../\../\../\win.ini

    will open and display the requested file

    Admin password is stored in plantext in admin-serv\config\adm.conf
    This in addition to the  previous bug will allow anyone  to obtain
    the password remotely  and perform admin  duties if net  access to
    the admin server is available.

SOLUTION

    Contact the vendor for a fix.  Patches for IPlanet products can be
    obtained from:

        http://www.iplanet.com/downloads/patches.index.html