| VID |
22007 |
| Severity |
30 |
| Port |
80, ¡¦ |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
Some versions of the Netscape Enterprise Server can be tricked into revealing file listings for directories usually unbrowsable by the existence of an index.html file through the PageServices query. Requesting an URL with "?PageServices" appended to it makes some Netscape servers dump the listing of the page directory, thus revealing potentially sensitive files to an attacker.
* References:
http://www.iss.net/security_center/static/1810.php
http://www.dataguard.no/bugtraq/1998_3/0564.html |
| Recommendation |
1. Turn off directory browsing on affected servers.
Set Directory Indexing to "none"; the default setting is "fancy". In NSES 3.5.1, this is done in Document Preferences under Content Management in the Admin interface.
2. Upgrade the Netscape server to the latest version. |
| Related URL |
CVE-1999-0269 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
