Unauthorized directory listings with FastTrack v3.01 NT

Matthew Patton (patton@SYSNET.NET)
Fri, 16 Jan 1998 20:48:03 -0400

Seems, some programmer at Netscape screwed up pretty stupidly. Whereas
almost every other robust webserver treats lowercase "get/pub/head" as
illegal operations and spits back a nice or not so nice error, FastTrack
provides a directory listing!!

Most disturbingly, directory access control methods (at least when using
.nsconfig files) are completely sidestepped - directories to which users
have no privs to see are happily listed to them but apparently only 1 level
deep since the presence of a '/' seems to kick the server into doing the
right thing. Even in areas in which no control is being asserted AND
despite the presense of index.html (or equiv) you can get a directory
listing this way.

eg:
get /foo
provides a file list whereas
get /foo/bar
doesn't. Attempts to fetch the files in the now exposed directory fail like
they should, so not all is lost.

I've tried this 'probe' against various incarnations of
FastTrack/Enterprise v2 and they don't seem to be susceptible. The one
Enterprise v3 server I tried also did not exhibit this flaw.

To solve the problem, turn off directory browsing completely (see Netscape
KB for details) and scream till a patch is produced. Can someone try this
on a unix flavored box and see if the problem exists?

For those of you who've elected to allow users to ftp into content root,
imagine the fun thet'd have replacing .nsconfig files willy-nilly. Be a
sport and make sure these files are tagged RO and preferably owned by
someone else.

BTW, do any of Netscape's other servers or (better yet) recent Apache/NCSA
serve out .htaccess files or their equivalents? Fasttrack v3.01 does and
happily! Nothing like revealing your access control details to the world!!
Maybe this is why NS is loosing market share and money. This is the best
the 'king of the hill' can do??? Then again, M$ has a rap sheet of assinine
designs and blunders long enough to cover the globe.

P.S. does anyone know why FastTrack v3's builtin access control is so
broken? It thinks "rand" is a reserved word (something to do with their
lousy java based ACL program I bet) so I can't allow any domains that have
'rand' into my site.

--------
In 1794, James Madison pointed out "the old trick of turning every
contingency into a resource for accumulating force in the government."

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT/CS d++>d- S: a- c++ UB++++$ P++ L- E W+$ N+ O K-- w---$ O++ M+ V--
PS+++ PE++ Y+ PGP++ t 5 X+ R- !tv b+ DI++ D+ G e++>+++ h-- !r y
------END GEEK CODE BLOCK------