Re: [SAFER 000317.EXP.1.5] Netscape Enterprise Server and '?wp'tags

[Peter W]

At 5:48pm Mar 22, 2000, Vanja Hrustic wrote:

> amonotod wrote:

> > Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
> > WebPublishing has never (not even just to try it out) been enabled.

Same here. If directory browsing is enabled, wp-cs-dump gives a listing.

> - ACLs can not stop this problem; looks like NES parses '?wp' tags even
> before it is checked against ACLs (tried under Solaris)

More likely the ACL's don't match on query string information. (ACL's
usually trigger on ppath, which does not include the query string.)

> The only way to disable this 'feature' was to edit file ns-httpd.so
> (under Solaris), and modify strings inside; for example, to change
> '?wp-cs-dump' into '?ab-cd-efg' - or whatever.

Editing DLL's. Eek.

The attached NSAPI code was tested on NES 3.63 on Solaris and seems to
stop the problem on the server we can't disable directory browsing on. I'd
love to talk off-list with others working on this to see if ther are other
things this doesn't catch, you know, weird URI-encoding, etc. If anyone
has more info on how to explout the tags, that would be nice, too.

Netscape, if you're listening: this is a workaround; I'd like a fix. ;-)

-Peter

http://www.bastille-linux.org/ : working towards more secure Linux systems

#include "base/pblock.h"        /* pblock_findval */
#include "frame/http.h"         /* PROTOCOL_NOT_FOUND */

/*
        PW-no-wpleak.so

   Usage:
   At the beginning of obj.conf:
      Init fn=load-modules shlib=PW_no_wpleak.so funcs="PW-no-wpleak"
   Inside an object in obj.conf (preferably at the top of the default object):
      PathCheck fn=PW-no-wpleak
   
   The PathCheck gives a 404 for any request containing known WebPublisher tags.
        (i.e. with a QUERY_STRING beginning with a known tag)
 */
 
NSAPI_PUBLIC int PW_no_wpleak(pblock *pb, Session *sn, Request *rq)
{
    /* working variables */
    char *requestQuery = pblock_findval("query", rq->reqpb);
    char *webPubTags[] = { 
                "wp-cs-dump",
                "wp-ver-info",
                "wp-html-rend",
                "wp-usr-prop",
                "wp-ver-diff",
                "wp-verify-link",
                "wp-start-ver",
                "wp-stop-ver",
                "wp-uncheckout",
                NULL
    };
    int i = 0;
    
    /* bail out if we've got nothing to work with */ 
    if (!requestQuery) return REQ_NOACTION;

    /* check the query string against known tags */
    while ( webPubTags[i] != NULL ) {
        if (strstr(requestQuery,webPubTags[i++]) == requestQuery ) {
                /* found a match, throw a 404 error */
                protocol_status(sn, rq, PROTOCOL_NOT_FOUND, NULL);
                return REQ_ABORTED;
        }
    }

    /* looks OK */
    return REQ_NOACTION;
}