iPlanet Web Server Publishing Feature Allows Remote Users to Conduct Brute Force Password Guessing Attempts
SecurityTracker Alert ID: 1003156|
SecurityTracker URL: http://securitytracker.com/id/1003156
(Links to External Site)
Date: Jan 8 2002
User access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 4.0 SP2,SP6 to 4.1 SP8; possibly other versions|
ProCheckUp reported a password guessing vulnerability in the iPlanet Web Server. If publishing is enabled, a remote user can invoke a publishing command which will provide a login screen. A script can be used with this to brute force guess passwords.|
A remote user can invoke the ?wp-force-auth command to conduct brute force password guessing attack. No account lockout features are provided.
The server must be configured for HTTP basic authentication and publishing must be enabled for this exploit method to apply.
A remote user can attempt to guess user names and passwords on the server without triggering an account lockout.|
The vendor recommends that when you enable web publishing, you treat the web server as an environment that must be secured, ensuring that users follow proper password policies such as using hard to guess passwords. Also, access logs should be monitored for suspicious requests. The vendor also recommends that if intrusion detection software is used, it should be configured to check or wp-force-auth requests.|
Vendor URL: knowledgebase.iplanet.com/ikb/kb/articles/7764.html (Links to External Site)
|Underlying OS: Linux (Any), UNIX (AIX), UNIX (DGUX), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)|
Source Message Contents
Subject: Netscape publishing wp-force-auth command|
8th January 2002:
ProCheckUp Security Bulletin PR01-05
Netscape publishing wp-force-auth
Netscape Enterprise 4.0 SP2,SP6 to 4.1
Solaris and Windows NT
Remote attackers can force basic
Netscape has released a fix
Remote attackers can easily use the wp-force-auth
command to perform brute force password cracking.
http://server/wp-force-auth is entered in the
Remote attackers can easily perform a brute force
password crack on Netscape Enterprise servers, no
password protected directories or programs are required.
The server has to have a correctly operating connection
with a directory server, which has valid users and
Netscape Enterprise has a selection of ?wp-* (Web
publishing) commands built into the web server. We have
found one of these commands ?wp-force-auth reliably
brings up a logon prompt. Publishing needs to be enabled
for this command to work.
We have modified one of our brute force password
cracking programs and found that it works reliably with
wp-force-auth, the HTTP request we use is GET
/wp-force-auth with an Authorization:Basic header and
Base 64 encoded usernames and passwords.
?wp-force-auth is one of the wp command's, provided by
To discover if publishing is enabled, enter the following
url http://server/publisher into your webbrowser. If a
screen appears then publishing is enabled.
Our test platforms for this vulnerability were Intel NT4
SP6 and Sparc Solaris Server 2.6.
When you enable web publishing, you should treat the
web server as an environment that must be secured.
Ensure that users follow proper password policies such as
using hard to guess passwords. If intruder detection
software is used, it should be configured to check for
HTTP basic authentication is generally not considered a
secure mechanism and should be run over a SSL-enabled
port. In addition, access logs should be monitored for
suspicious requests. A better alternative would be to use
client certificates, which are much more secure.
To see the vulnerability releases go to iPlanet/7764
For related topics go to iPlanet/4302, iPlanet/7761
Copyright 2001 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this
bulletin to the Internet community for the purpose of
alerting them to problems, if and only if, the bulletin is
not edited or changed in any way, is attributed to
ProCheckUp, and provided such reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited.
ProCheckUp is not liable for any misuse of this information
by any third party.