Hi,
This is another way to use the ?PageServices problem on Netscape Servers...
?PageServices may list directories from root (ie
www.server.com/?PageServices) to specific directories, inside the server (ie
www.server.com/html/?PageServices). This might happen (directory content
listing) even if the Admin wants the default page in a directory to be
index.htm or whatever... Now, this may help a malicious evil
darksideoftheforce cracker to get some nice information like the content of
a /stats/ directory with raw logs stored inside... You might find in there
some IPs folowed by a user name. This is first step of course. For the next
step, go to Defcon and atend the social engineering contest.
Now what's worse about this ?PageServices or /publisher/ stuff
Well, on a misconfigured server, you can try www.server.com/?pageservices
(nah, it's not the same, mind the caps) and you might access to a remote
admin page that is not exactly the same as the one showed in Tim Jones post
[ie the result of www.server.com/publisher/]. [You can see an image here if
you really are interested in this stuff:
http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/lafinanceendirect.ht
m ]
Now what?
Well on this page, you can get access to the Web Publisher, to the Access
control tool and more... Ok, you still need a user ID and a password to
publish something... Sometimes you'll get the User ID in the field "Owner"
of the Web Publisher window. Second step: againn, syntax error goto 110
errr. No..., go to Defcon and listen carrefully to what will be said during
the social engineering contest...
And if none of these works, you also have the /publisher/ trick.
:)
And that is the interesting part of Tim's post. Because if the Admin (he's
smart...) has disabled the access to the remote admin page trough
/?pageservices, you can try /publisher/ -- It might work in some cases...
:))
Now... I want to make Tim more confortable...
Me and my beloved friends at Kitetoa have mailed tons of [EMAIL PROTECTED],
[EMAIL PROTECTED] and [EMAIL PROTECTED] about their problems with the
?PageServices, ?pageservices, and Web Publisher... And I'm not even talking
of the famous eEye Bug on IIS... you just can't imagine how many french
servers are at risk.
Well... What's their awnser?
Nothing.
What do they do about it?
Nothing.
Just like the FBI I guess...
The only awnser we got [months after our initial mail] was from a **very**
famous internet discount broker [the Web Publisher loaded a _vti_pvt
directory with a users.pwd file in it]. Their awnser was: this is untrue and
... It's not a risk for our server.... But they fixed that within some hours
It took months before they admited the risk was (very) high. In the first
place they said they would sue us.
One must love those guys to tell them they have install problems...
Heh...
K.
-----Message d'origine-----
De : Tim Jones <[EMAIL PROTECTED]>
À : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : lundi 8 novembre 1999 00:21
Objet : Netscape Web Publisher
> This is not a HOLE. By default(I think)netscape -Enterprise/3.5.1I
installs ALOT of shit that you will never need or use. But like most things
people dont use people dont remove them. A major thing that netscape
installs is Netscape Web Publisher. Which you can access VIA http. By
default its /publisher/. Like on www.fbi.gov/publisher/ click on Start Web
Publisher. Then after the java app load it will ask you for a Username and
Password. Well just leave them blank and hit ENTER.. Now this is a bad idea
because anyone could just brute force the User Name and password. Then after
you do or dont enter a user name a password it will show you ALL files in
the web dir. Now this is also a bad idea because some people leave like oh
password lists,user names, cc info in the web dir. All of which you could
access from the web if you had the info on were it was. So in short its a
BAD idea to leave /publisher/ on netscape on. You should remove /publisher/.
Most people dont give a shit like www.fbi.gov/publisher/ that you can look
at all there files but there stupid so whatever..
>
>I emailed netscape,fbi.gov about 2 weeks ago about this and I have got no
reply.. So maybe they might fix it now.
>
>--flipz
>
