绿盟安全月刊->第8期->最新漏洞 Netscape Enterprise WebPublisher 允许远程列出目录内容

主页：http://www.nsfocus.com
日期：2000-04-12


发布日期: 2000-3-27
更新日期: 2000-3-27

受影响的系统:  
Netscape-Enterprise/3.5.1C
Netscape-Enterprise/3.5.1G
Netscape-Enterprise/3.5 1I
Netscape-Enterprise/3.6 SP1
Netscape-Enterprise/3.6 SP2
Netscape-Enterprise/3.6 SP3

--------------------------------------------------------------------------------
描述:

Netscape Webpublisher是Netscape's Enterprise web服务器的附加程序。它允许远程编辑
，上传以及下载文件。WebPublisher缺省安装在/publisher目录。一个没有系统有效帐号的
用户可能通过下载一些java applets访问WebPublisher,并列出web服务器的目录结构。

通过发送GET /publisher请求，我们可以得到一个页面"WebPublisher Home Page",它包含一
些关于webpublisher的信息。这一页有一个"Start Webpublisher"按钮，点击后会下载
WebPublisher Java Applet,并自动运行它，它要求你同意三个声明，然后系统会要求你输入
一个用户名。这里你可以随意输入一个名字，它并不需要是有效的系统用户名。java程序会继
续打开WebPublisher窗口，显示web server根目录列表。

在顶端的菜单条让你上载或者下载，编辑，删除或者移动文件。做这些操作需要输入口令，但
是这个口令可以通过暴力猜测。

<* 来源：f0bic (f0bic@deadprotocol.org)
         http://zsh.stupidphat.com/
*>        


--------------------------------------------------------------------------------
测试程序：


#!/usr/bin/perl

#
# Netscape-WebPublisher Scanner
# by f0bic [ zsh ]
#
# Usage: ./pub-scan.pl
#
#

$SIG{'ALRM'} = sub { exit(0) };
$SIG{'CHLD'} = sub { wait };

use IO::Socket;

if ($#ARGV != 1) {
    print "\nUsage: $0 \n\n"; exit(0);
} else {
    $infile = $ARGV[0];
    $outfile = $ARGV[1];
}

print "\n[ ]-( WebPublisher Scanner v1.0 )\n\n";

open(IN, "$infile") || die "Can't open infile [ $infile ]\n";
print "----( reading from [ $infile ] )\n";
open(OUT, ">>$outfile") || die "Can't create outfile [ $outfile ]\n";
print "----( writing to [ $outfile ] )\n\n";
print "---- Scanning for Vulnerable Servers:\n\n";
$time1 = time();
while() {
chomp ($line = $_);
if ($line =~ /(\S*)/) {
   if ($pid = fork) {
       sleep 10;
   } elsif (defined($pid)) {
       alarm(25);
       publisher_scan($1);
       alarm(0);
       exit(0);
   }
}
}

sub publisher_scan {

    my($server) = @_;
    $w00p = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80");
    if (!$w00p) { exit(0); }
    print $w00p "GET \/publisher\/WPDownloadsComp.html HTTP\/1.0\r\n\r\n";

while(<$w00p>) {
    chomp ($verify = $_);
    if ($verify =~ /^HTTP\/1\.1\s200\sOK/i) {
    print "\t$server runs Netscape WebPublisher\n";
        print OUT "$server runs Netscape WebPublisher\n";
    }
    -close($w00p);
}
}
$time2 = time();
print "\n";
printf "---- Scan completed in : %.2f seconds\n\n", $time2 - $time1;
close(IN);
close(OUT);


--------------------------------------------------------------------------------
建议:

1. 卸载Webpublisher或者设置/publisher目录的目录权限
2. 通过访问控制模块设置对WebPublisher的访问控制

版权所有，未经许可，不得转载