SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Netscape, Sun
iPlanet Web Server Publishing Feature Allows Remote Users to Conduct Brute Force Password Guessing Attempts
SecurityTracker Alert ID:  1003156
SecurityTracker URL:  http://securitytracker.com/id/1003156
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 8 2002
Impact:   User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0 SP2,SP6 to 4.1 SP8; possibly other versions
Description:   ProCheckUp reported a password guessing vulnerability in the iPlanet Web Server. If publishing is enabled, a remote user can invoke a publishing command which will provide a login screen. A script can be used with this to brute force guess passwords.

A remote user can invoke the ?wp-force-auth command to conduct brute force password guessing attack. No account lockout features are provided.

The server must be configured for HTTP basic authentication and publishing must be enabled for this exploit method to apply.

Impact:   A remote user can attempt to guess user names and passwords on the server without triggering an account lockout.
Solution:   The vendor recommends that when you enable web publishing, you treat the web server as an environment that must be secured, ensuring that users follow proper password policies such as using hard to guess passwords. Also, access logs should be monitored for suspicious requests. The vendor also recommends that if intrusion detection software is used, it should be configured to check or wp-force-auth requests.
Vendor URL:  knowledgebase.iplanet.com/ikb/kb/articles/7764.html (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (DGUX), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Netscape publishing wp-force-auth command


8th January 2002:

              ProCheckUp Security Bulletin PR01-05

              CERT:
                             VU#985347
              Description:
                             Netscape publishing wp-force-auth
                             command
              Date:
                             30/07/2001
              Date Public:
                             08/01/2002
              Application:
                             Netscape Enterprise 4.0 SP2,SP6 to 4.1
                             SP8
              Platform:
                             Solaris and Windows NT
              Severity:
                             Remote attackers can force basic
                             authentication
              Author:
                             Richard Brain
              Vendor Status:
                             Netscape has released a fix
              CVE Candidate:
                             Not assigned


Description:

Remote attackers can easily use the wp-force-auth
command to perform brute force password cracking.
http://server/wp-force-auth is entered in the
WebBrowser. 

Consequences: 

Remote attackers can easily perform a brute force
password crack on Netscape Enterprise servers, no
password protected directories or programs are required.
The server has to have a correctly operating connection
with a directory server, which has valid users and
passwords.

Detailed description: 

Netscape Enterprise has a selection of ?wp-* (Web
publishing) commands built into the web server. We have
found one of these commands ?wp-force-auth reliably
brings up a logon prompt. Publishing needs to be enabled
for this command to work.

We have modified one of our brute force password
cracking programs and found that it works reliably with
wp-force-auth, the HTTP request we use is GET
/wp-force-auth with an Authorization:Basic header and
Base 64 encoded usernames and passwords.

?wp-force-auth is one of the wp command's, provided by
Netscapes content_mgr.dll

To discover if publishing is enabled, enter the following
url http://server/publisher into your webbrowser. If a
screen appears then publishing is enabled.

Our test platforms for this vulnerability were Intel NT4
SP6 and Sparc Solaris Server 2.6.

Solution:

When you enable web publishing, you should treat the
web server as an environment that must be secured.
Ensure that users follow proper password policies such as
using hard to guess passwords. If intruder detection
software is used, it should be configured to check for
wp-force-auth requests.

HTTP basic authentication is generally not considered a
secure mechanism and should be run over a SSL-enabled
port. In addition, access logs should be monitored for
suspicious requests. A better alternative would be to use
client certificates, which are much more secure. 



Further information:

To see the vulnerability releases go to iPlanet/7764
or CERT/985347

For related topics go to iPlanet/4302, iPlanet/7761 

Legal: 

Copyright 2001 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this
bulletin to the Internet community for the purpose of
alerting them to problems, if and only if, the bulletin is
not edited or changed in any way, is attributed to
ProCheckUp, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.
ProCheckUp is not liable for any misuse of this information
by any third party.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC