From weld@vulnwatch.org Thu Jan 10 00:39:10 2002 From: Chris Wysopal To: vulnwatch@vulnwatch.org Date: Wed, 9 Jan 2002 16:45:31 +0000 (GMT) Subject: [VulnWatch] Netscape publishing wp-force-auth command ProCheckUp Security Bulletin PR01-05 CERT: VU#985347 Description: Netscape publishing wp-force-auth command Date: 30/07/2001 Date Public: 08/01/2002 Application: Netscape Enterprise 4.0 SP2,SP6 to 4.1 SP8 Platform: Solaris and Windows NT Severity: Remote attackers can force basic authentication Author: Richard Brain Vendor Status: Netscape has released a fix CVE Candidate: Not assigned Description: Remote attackers can easily use the wp-force-auth command to perform brute force password cracking. http://server/wp-force-auth is entered in the WebBrowser. Consequences: Remote attackers can easily perform a brute force password crack on Netscape Enterprise servers, no password protected directories or programs are required. The server has to have a correctly operating connection with a directory server, which has valid users and passwords. Detailed description: Netscape Enterprise has a selection of ?wp-* (Web publishing) commands built into the web server. We have found one of these commands ?wp-force-auth reliably brings up a logon prompt. Publishing needs to be enabled for this command to work. We have modified one of our brute force password cracking programs and found that it works reliably with wp-force-auth, the HTTP request we use is GET /wp-force-auth with an Authorization:Basic header and Base 64 encoded usernames and passwords. ?wp-force-auth is one of the wp command's, provided by Netscapes content_mgr.dll To discover if publishing is enabled, enter the following url http://server/publisher into your webbrowser. If a screen appears then publishing is enabled. Our test platforms for this vulnerability were Intel NT4 SP6 and Sparc Solaris Server 2.6. Solution: When you enable web publishing, you should treat the web server as an environment that must be secured. Ensure that users follow proper password policies such as using hard to guess passwords. If intruder detection software is used, it should be configured to check for wp-force-auth requests. HTTP basic authentication is generally not considered a secure mechanism and should be run over a SSL-enabled port. In addition, access logs should be monitored for suspicious requests. A better alternative would be to use client certificates, which are much more secure. Further information: To see the vulnerability releases go to iPlanet/7764 or CERT/985347 For related topics go to iPlanet/4302, iPlanet/7761 Legal: Copyright 2001 ProCheckUp Ltd. All rights reserved. Permission is granted for copying and circulating this bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party.