[LWN Logo] 

Date:         Fri, 30 Jul 1999 21:47:20 +0100
From:         Mnemonix <mnemonix@GLOBALNET.CO.UK>
Subject:      Netscape Enterprise Server yeilds source of JHTML
To:           BUGTRAQ@SECURITYFOCUS.COM

Netscape Enterprise Server has introduced JHTML, the Netscape equivalent of
Microsoft's Active Server Pages. On poorly configured sites it is possible
to retrieve the unparsed source of these JHTML files. This problem affect
3.5.1 and possibly other versions such as 3.6 on all platforms such as
Windows NT and Solaris.

Details
Netscape Enterprise Server has a built-in search engine which is operational
by default. This search
engine uses Pattern (.pat) files to regulate and format the results. These
pattern files can be found
in the /search-ui/text directory. The search engine can be configured by
editing these pattern files to
return the whole document in the search results - however, this must be
turned on by the Admin by making
modifications to a "collection's" dblist.ini to point the NS-tocrec-pat to
the HTML-tocrec-demo1.pat pattern
file as per the Netscape documentation.

It is possible, however, to build a special search request that will return
the whole the document in the search
results without this feature having to be turned on. In this way we can
retrieve the source of JHTML files and
other scripts.

http://no-such-server/search?NS-search-page=results&NS-query=A&NS-collection
=B&NS-tocrec-pat=/text/HTML-tocrec-demo1.pat

where A is the query e.g. the word "that" and B is the collection e.g.
"Web+Publish" or "web_htm".

Being fair to Netscape, in their documentation is states that
HTML-tocrec-demo1.pat only displays HTML files - though this implies that if
the file is not HTML, which JHTML is not just quite, it won't be displayed.
This obviously is wrong.

Another way is to get the source is to issue the request:

http://no-such-server/search?NS-search-page=document&NS-rel-doc-name=/path/t
o/indexed/file.jhtml&NS-query=URI!=''&NS-collection=A

where A is the collection without having to go through the rigmarole of
playing around with HTML-tocrec-demo1.pat in the URL.

The solution to this problem is to store all JHTML files (or other scripts)
in a directory that is not indexed and be wary of the default Web Publishing
collection. If you don't need the search capability of NSE then disable it.

Cheers,
David Litchfield
Arca Systems Inc, an Exodus Communications company
http://www.arca.com
http://www.infowar.co.uk/mnemonix