Disclosure Vulnerability in Netscape Web Publisher

Reported January 9, 2001, by Chris Wysopal.


  • Netscape Enterprise Server 4.0 Service Pack 2 up to 4.1 Service Pack 8 for Windows 2000 and Windows NT


A vulnerability exists in a Netscape Enterprise’s Web Publishing that lets an attacker use brute force to access user names and passwords that the system has stored. By using the Web Publishing command “?wp-force-auth in conjunction with an HTTP Get Authorization:Basic Header with Base 64 usernames/passwords, an intruder can obtain a valid username/password combination from the directory.



The vendor, iPlanet, acknowledges this vulnerability and has released a knowledge base article on this issue. iPlanet further recommends that affected users disable the Web Publishing and Directory Indexing features on externally accessible systems and add the ?wp-force-auth command to Intrusion Detection System (IDS) patterns.


Discovered by Richard Brain.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.