[NEWS] Netscape Publishing wp-force-auth Command

From: support@securiteam.com
Date: 01/10/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 10 Jan 2002 13:18:27 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Netscape Publishing wp-force-auth Command
------------------------------------------------------------------------

SUMMARY

Remote attackers can easily use the wp-force-auth command to perform brute
force password cracking by going to the URL: http://server/wp-force-auth
is entered in a web browser.

DETAILS

Vulnerable systems:
Netscape Enterprise 4.0 SP2 and SP6 up to 4.1 SP8

Impact:
Remote attackers can easily perform a brute force password crack on
Netscape Enterprise servers, no password protected directories, or
programs are required. The server has to have a correctly operating
connection with a directory server, which has valid users and passwords.

Detailed description:
Netscape Enterprise has a selection of ?wp-* (Web publishing) commands
built into the web server. One of these commands ?wp-force-auth reliably
brings up a logon prompt. Publishing needs to be enabled for this command
to work.

The HTTP request used is GET /wp-force-auth with an Authorization:Basic
header and Base 64 encoded usernames and passwords.

?wp-force-auth is one of the wp commands, provided by Netscape's
content_mgr.dll

To discover if publishing is enabled, enter the following url
http://server/publisher into your web browser. If a screen appears then
publishing is enabled.

Solution:
When you enable web publishing, you should treat the web server as an
environment that must be secured. Ensure that users follow proper password
policies such as using hard to guess passwords. If intruder detection
software is used, it should be configured to check for wp-force-auth
requests.

HTTP basic authentication is generally not considered a secure mechanism
and should be run over a SSL-enabled port. In addition, access logs should
be monitored for suspicious requests. A better alternative would be to use
client certificates, which are much more secure.

ADDITIONAL INFORMATION

The information has been provided by <mailto:weld@vulnwatch.org> Chris
Wysopal.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages