Date: Fri, 30 Jul 1999 21:47:20 +0100 From: Mnemonix <mnemonix@GLOBALNET.CO.UK> Subject: Netscape Enterprise Server yeilds source of JHTML To: BUGTRAQ@SECURITYFOCUS.COM Netscape Enterprise Server has introduced JHTML, the Netscape equivalent of Microsoft's Active Server Pages. On poorly configured sites it is possible to retrieve the unparsed source of these JHTML files. This problem affect 3.5.1 and possibly other versions such as 3.6 on all platforms such as Windows NT and Solaris. Details Netscape Enterprise Server has a built-in search engine which is operational by default. This search engine uses Pattern (.pat) files to regulate and format the results. These pattern files can be found in the /search-ui/text directory. The search engine can be configured by editing these pattern files to return the whole document in the search results - however, this must be turned on by the Admin by making modifications to a "collection's" dblist.ini to point the NS-tocrec-pat to the HTML-tocrec-demo1.pat pattern file as per the Netscape documentation. It is possible, however, to build a special search request that will return the whole the document in the search results without this feature having to be turned on. In this way we can retrieve the source of JHTML files and other scripts. http://no-such-server/search?NS-search-page=results&NS-query=A&NS-collection =B&NS-tocrec-pat=/text/HTML-tocrec-demo1.pat where A is the query e.g. the word "that" and B is the collection e.g. "Web+Publish" or "web_htm". Being fair to Netscape, in their documentation is states that HTML-tocrec-demo1.pat only displays HTML files - though this implies that if the file is not HTML, which JHTML is not just quite, it won't be displayed. This obviously is wrong. Another way is to get the source is to issue the request: http://no-such-server/search?NS-search-page=document&NS-rel-doc-name=/path/t o/indexed/file.jhtml&NS-query=URI!=''&NS-collection=A where A is the collection without having to go through the rigmarole of playing around with HTML-tocrec-demo1.pat in the URL. The solution to this problem is to store all JHTML files (or other scripts) in a directory that is not indexed and be wary of the default Web Publishing collection. If you don't need the search capability of NSE then disable it. Cheers, David Litchfield Arca Systems Inc, an Exodus Communications company http://www.arca.com http://www.infowar.co.uk/mnemonix