Livewire "source" problem

Summary
Description:It is often possible in sites using Livewire to download the actual application rather than individual pages generated by it. If the page is http://www.blah.com/foo/ try downloading http://www.blah.com/foo.web .
Author:Daragh Malone <daragh_malone@ACCURIS.IE>
Compromise:Obtain the livewire application rather than the pages it generates. These may have passwords and other sensitive info stored in them.
Vulnerable Systems:Those running Livewire, in particular DEC UNIX 4.0D running Netscape Enterprise Server 3.0.
Date:24 April 1998
Details


Date: Fri, 24 Apr 1998 12:48:02 +0100
From: Daragh Malone <daragh_malone@ACCURIS.IE>
To: BUGTRAQ@NETSPACE.ORG
Subject: Security Hole in Netscape Enterprise Server 3.0

     Hi All,
        I don't know if there is a patch for this, or if this is already
     well known, but here it is. A simple workaround follows.

     Problem: Livewire Applications are downloadable. (Passwords are
     unencrypted)

     Platform: DEC UNIX 4.0D (possibly all Unixes/NT)

     Description:
        Livewire applications are basically server-side Javascript
     applications that behave similiar to Active Server Pages. The main
     difference is that Livewire applications are compiled to a proprietary
     byte executable that contains all the pages in the application.
        These applications are generated with .web extensions. In their own
     example, the game hangman is accessed as
     http://www.myserver.com/hangman/ and the application is hangman.web.
     So accessing http://www.myserver.com/hangman/hangman.web will download
     the application to your browser.
        The second problem lies in the fact that all the pages are
     readable, and that database username/passwords are unencrypted, unless
     specifically encrypted in your application.
        The two problems combined can compromise security. This problem
     occurs regardless of Web directory permissions from a server level.

     Quick Workaround:
        Rename the .web application to something cryptic like G6r$79k9.web
     and make sure that the directory it's in isn't a document directory.

     Rant:
        I verified this problem on a few Internet sites, which leads to the
     question: If you verify a web security problem (remember .. at the end
     of Active Server Pages) is this technically illegal.
        If anyone knows if this problem has been fixes I'd really
     appreciate it.


        Thanks,
        D.Malone.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]