|
Date: Fri, 24 Apr 1998 12:48:02 +0100 From: Daragh Malone <daragh_malone@ACCURIS.IE> To: BUGTRAQ@NETSPACE.ORG Subject: Security Hole in Netscape Enterprise Server 3.0 Hi All, I don't know if there is a patch for this, or if this is already well known, but here it is. A simple workaround follows. Problem: Livewire Applications are downloadable. (Passwords are unencrypted) Platform: DEC UNIX 4.0D (possibly all Unixes/NT) Description: Livewire applications are basically server-side Javascript applications that behave similiar to Active Server Pages. The main difference is that Livewire applications are compiled to a proprietary byte executable that contains all the pages in the application. These applications are generated with .web extensions. In their own example, the game hangman is accessed as http://www.myserver.com/hangman/ and the application is hangman.web. So accessing http://www.myserver.com/hangman/hangman.web will download the application to your browser. The second problem lies in the fact that all the pages are readable, and that database username/passwords are unencrypted, unless specifically encrypted in your application. The two problems combined can compromise security. This problem occurs regardless of Web directory permissions from a server level. Quick Workaround: Rename the .web application to something cryptic like G6r$79k9.web and make sure that the directory it's in isn't a document directory. Rant: I verified this problem on a few Internet sites, which leads to the question: If you verify a web security problem (remember 5e1 .. at the end of Active Server Pages) is this technically illegal. If anyone knows if this problem has been fixes I'd really appreciate it. Thanks, D.Malone.