COMMAND

    Netscape E.S. Web Publisher

SYSTEMS AFFECTED

    Netscape E.S. Web Publisher 3.5.1 (and others?)

PROBLEM

    Charles Chear found following very wide problem with ACL  settings
    and default settings with Netscape Enterprise Server (Publisher).

    With the default installation of Netscape Enterprise Server  3.5.1
    (and others possibly), a  java based package called  the "Netscape
    Web Publisher" is included.  This program is web based and is also
    linked on the default index which comes with Enterprise Server.

    After running an  extensive search of  the default index  content,
    Charles has  found various  sites running  Publisher, with  a poor
    application  of  the  ACL   (Access  Control  Lists)  options   of
    Enterprise Server (about 90% of the sites).

    Such actions that an intruder  could apply would be the  search of
    web  index   content,  web   root  directory   listing,  and   the
    viewing/downloading of "non-public" files in the web root.

    Here are descriptors which provides  a criteria of what should  be
    considered vulnerable:

        -The default Enterprise Server index is public
        -http://www.poorperms.null/publisher is publicly available
        -Proper and more secure ACL selections

    The  third  descriptor  is  one  quite important.  With Enterprise
    Server, we believe that you  have the option of picking  USER/PASS
    authentication  vs.  certificate  based  authentication.   Many of
    these  sites  pick  the  later,  certificate  authentication.   An
    intruder  could  simply  use  a  proxy  and/or  use other cloaking
    techniques, accept  the certificate,  and continue  on to  use the
    Publisher.

SOLUTION

    The solution(s) is one that is parted, where both Netscape and the
    customer/administrator  could  take  part  to provide solutions to
    this on going problem.

    Fixes:

        - Remove the default index and any default programs you do not
          use (such as Publisher, and Publisher Search)
        - If  Publisher  must  be  used, USER/PASS methods are  highly
          recommended rather than certificates
        - Use the ACL settings more efficiently (directory perms, etc)

    For more information on how to take control of ACL options,  refer
    to the help directory which comes with Enterprise Server, or visit
    the vendor's website at http://www.netscape.com.