amonotod wrote: > > Hello all, > > Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though > WebPublishing has never (not even just to try it out) been enabled. All > commands (plus more that don't work) listed in bulletin are contained in the > file "_install_path_\SuiteSpot\plugins\content_mgr\bin\content_mgr.dll". > > regards, > amonotod Few more updates. - Netscape/iPlanet still did not respond - Stock installation of NES 3.6SP3 on Sparc/Solaris 2.7 without any features enabled IS vulnerable to this problem. Web Publishing seems not to be important at all - NES 3.6SP3 on IRIX is also vulnerable - ACLs can not stop this problem; looks like NES parses '?wp' tags even before it is checked against ACLs (tried under Solaris) The only way to disable this 'feature' was to edit file ns-httpd.so (under Solaris), and modify strings inside; for example, to change '?wp-cs-dump' into '?ab-cd-efg' - or whatever. Under Windows, the strings are indeed located in 'content_mgr.dll' - that was the first place where strings were found. Later, the strings were found in another DLL - ns-httpd.dll (if I remember correctly). If you enable Web Publishing, make sure that you also modify strings inside content_mgr.dll (or content_mgr.so, if running on Solaris) There are quite few sites running NES 3.6SP3 (on Solaris) that are not vulnerable. I would really like if someone who has a setup like that and is not vulnerable takes a look at the NES setup, and checks what features are enabled/disabled. That might help to understand what needs to be done in order to protect the servers. Thanks to Reb for helpful details (erm... won't mention his email here, so that people don't try the NES 'features' on his company website :) Regards, Vanja Hrustic SAFER Editor SAFER - free monthly security newsletter Subscriptions at http://www.safermag.com
