Date: Mon, 12 Oct 1998 13:20:11 +0200 From: Jorgen Smith To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: PageServices bug in Netscape Enterprise server Hi, Just in case it has not already been reported (my guess is that it has, and that a lid is put on this till Netscape works it out), I just received the following note (source unknown) saying that there is a bug in Netscape Enterprise Server that lets you browse the contents of any directory. The bug is effected by adding the parameter ?PageServices. It does not circumvent directory security, but internal pages or directories secured by their names only are open prey. **** Check out the e.g. . This is one list of servers affected/not affected by the bug: > site works? server > www.nasa.gov yes Netscape-Enterprise/3.5.1 > www.netscape.com no Netscape-Enterprise/2.01 > merchant.netscape.com no Netscape-Enterprise/3.0L > www.boisecascade.com yes Netscape-Enterprise/3.5.1B > www.home.net no Netscape-Enterprise/3.5.1 > www.pdi-corp.com yes Netscape-Enterprise/3.5.1 > www.anl.gov yes Netscape-Enterprise/3.5.1G > www.aqmd.gov no Netscape-Enterprise/2.01 > www.bop.gov yes? Netscape-Enterprise/3.01 > > That last one is different. If you click on "Web Publisher" you > will eventually get a java file browser for the web site. I'm not > sure if it will let you write files (it certainly seems so) but I > didn't want to try. **** What we are anxious to know is whether any patches are available. Browsing through Netscape's help and developer pages did not bring enlightenment. Regards, Jørgen Smith Programmer, Leo Burnett Interaktiv A/S -------------------------------------------------------------------- Date: Mon, 12 Oct 1998 13:53:28 +0200 From: Jorgen Smith To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: PageServices bug in Netscape Enterprise server I wrote: > What we are anxious to know is whether any patches are available. > Browsing through Netscape's help and developer pages did not > bring enlightenment. We found a workaround in setting Directory Indexing to "none"; the default setting is "fancy". In NSES 3.5.1, this is done in Document Preferences under Content Managment in the Admin interface. After setting DI to none, the client will receive a "Server Error" message instead of the directory listing. Regards, Jørgen Smith Programmer, Leo Burnett Interaktiv A/S