Date: Mon, 7 Jun 1999 10:59:15 +0200 From: "[iso-8859-1] Jesús López de Aguileta" To: BUGTRAQ@netspace.org Subject: Netscape Fasttrack 3.01 allows directory listing Hi all, I recently have downloaded a trial version of Fasttrack server (3.01) for NT According to Netscape documentation: ----8<------------------------8<-------------------8<--- Specifying index filenames If a document name is not specified in the URL, and the server finds a file with this name in a document directory, it assumes that file is the index file. The server automatically displays this file when no specific file is requested. The defaults are index.html and home.html. If more than one name is specified, the server looks in the order in which the names you specified appear until one is found. For example, if your index filenames are index.html, home.html, the server first looks for index.html, and if the server doesn't find it, then the server looks for home.html. ------8<--------------8<---------------8<-------------------- Well, having this configuration: Index Filenames: index.html Directory indexing: fancy or simple and HAVING a index.html file in root directory if you telnet to default httpd port and type: get / (lowercase) You will get a directory listing of the root directory. Workaround: Disable directory listing. Netscape has been notified. Regards, Jesús López de Aguileta Eunate Net jesus.la@acc-comunicacion.es ------------------------------------------------------------------------------- Date: Tue, 8 Jun 1999 20:03:23 +0200 From: "[iso-8859-1] Jesús López de Aguileta" To: BUGTRAQ@netspace.org Subject: Fasttrack 3.01 allows directory listing Hi, Keith R. Jarvis has found the same issue in http://geek-girl.com/bugtraq/1998_1/0092.html After more than one year Netscape don´t warm their customers about this security flaw. In http://www.netscape.com/security/notes/index.html, are the "current and previous security notes [...] concerning the security of our client, server, and development software". No comment :( Jesús López de Aguileta Eunate Net ------------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 08:22:14 -0600 From: Demian Ginther To: BUGTRAQ@netspace.org Subject: Re: Netscape Fasttrack 3.01 allows directory listing This same thing works on FastTrack 3.5 for Netware. You can also put any directory name after the / to see what's in the lower directories.