首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第8期->最新漏洞
主页:http://www.nsfocus.com
日期:2000-04-12
发布日期: 2000-3-27
更新日期: 2000-3-27
受影响的系统:
Netscape-Enterprise/3.5.1C
Netscape-Enterprise/3.5.1G
Netscape-Enterprise/3.5 1I
Netscape-Enterprise/3.6 SP1
Netscape-Enterprise/3.6 SP2
Netscape-Enterprise/3.6 SP3
--------------------------------------------------------------------------------
描述:
Netscape Webpublisher是Netscape's Enterprise web服务器的附加程序。它允许远程编辑
,上传以及下载文件。WebPublisher缺省安装在/publisher目录。一个没有系统有效帐号的
用户可能通过下载一些java applets访问WebPublisher,并列出web服务器的目录结构。
通过发送GET /publisher请求,我们可以得到一个页面"WebPublisher Home Page",它包含一
些关于webpublisher的信息。这一页有一个"Start Webpublisher"按钮,点击后会下载
WebPublisher Java Applet,并自动运行它,它要求你同意三个声明,然后系统会要求你输入
一个用户名。这里你可以随意输入一个名字,它并不需要是有效的系统用户名。java程序会继
续打开WebPublisher窗口,显示web server根目录列表。
在顶端的菜单条让你上载或者下载,编辑,删除或者移动文件。做这些操作需要输入口令,但
是这个口令可以通过暴力猜测。
<* 来源:f0bic (f0bic@deadprotocol.org)
http://zsh.stupidphat.com/
*>
--------------------------------------------------------------------------------
测试程序:
#!/usr/bin/perl
#
# Netscape-WebPublisher Scanner
# by f0bic [ zsh ]
#
# Usage: ./pub-scan.pl
#
#
$SIG{'ALRM'} = sub { exit(0) };
$SIG{'CHLD'} = sub { wait };
use IO::Socket;
if ($#ARGV != 1) {
print "\nUsage: $0
} else {
$infile = $ARGV[0];
$outfile = $ARGV[1];
}
print "\n[ ]-( WebPublisher Scanner v1.0 )\n\n";
open(IN, "$infile") || die "Can't open infile [ $infile ]\n";
print "----( reading from [ $infile ] )\n";
open(OUT, ">>$outfile") || die "Can't create outfile [ $outfile ]\n";
print "----( writing to [ $outfile ] )\n\n";
print "---- Scanning for Vulnerable Servers:\n\n";
$time1 = time();
while(
chomp ($line = $_);
if ($line =~ /(\S*)/) {
if ($pid = fork) {
sleep 10;
} elsif (defined($pid)) {
alarm(25);
publisher_scan($1);
alarm(0);
exit(0);
}
}
}
sub publisher_scan {
my($server) = @_;
$w00p = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80");
if (!$w00p) { exit(0); }
print $w00p "GET \/publisher\/WPDownloadsComp.html HTTP\/1.0\r\n\r\n";
while(<$w00p>) {
chomp ($verify = $_);
if ($verify =~ /^HTTP\/1\.1\s200\sOK/i) {
print "\t$server runs Netscape WebPublisher\n";
print OUT "$server runs Netscape WebPublisher\n";
}
-close($w00p);
}
}
$time2 = time();
print "\n";
printf "---- Scan completed in : %.2f seconds\n\n", $time2 - $time1;
close(IN);
close(OUT);
--------------------------------------------------------------------------------
建议:
1. 卸载Webpublisher或者设置/publisher目录的目录权限
2. 通过访问控制模块设置对WebPublisher的访问控制
版权所有,未经许可,不得转载