Vulnerability Report For Netscape (iPlanet) CMS and Netscape Directory Server

Advisory ID Internal

Bugtraq ID: 1839

CVE Name: CVE-2000-1075, CAN-2000-1076

Title: Path traversal and administrator password in clear text vulnerabilities

Class: Access Validation Error/Design Error

Remotely Exploitable: Yes

Locally Exploitable: Yes


Vulnerability Description:

Netscape (iPlanet) Certificate Management System, Netscape Directory Server and Nescape Administration Servers share components, which suffer from two notable vulnerabilities.

1. Path Traversal Vulnerability
The first vulnerability is a classic path traversal vulnerability whereby a user can supply a crafted URL and access files outside the web root directory. This will result in the remote user being able to read/download any files which the server itself (based on it's permissions) may access.

2. Administrator password is stored in clear text
The 'Admin' password for these packages is stored in plaintext in admin-serv\config\adm.conf. This in addition to the previous vulnerability will allow anyone to obtain the password remotely and perform admin duties if net access to the admin server is available.

Vulnerable Packages/Systems:

Netscape Certificate Management System 4.2 (MS Windows NT 4.0 version)
Netscape Directopy Server 4.12 (MS windows NT 4.0 version)


Solution/Vendor Information/Workaround:

Contact the vendor for a fix. Patches for IPlanet products can be obtained from

Additionally, advisories and information on security issues of these particular Netscape products can be obtained from:

(iPlanet) Certificate Management System

Netscape Directory Server

Vendor notified on: 10/02/2000


These vulnerabilities were found by Emiliano Kargieman and Agustín Kato Azubel from CORE SDI S.A., Buenos Aires, Argentina.

This advisory was drafted with the help of the

Vulnerability Help Team. For more information or assistance drafting advisories please mail


Technical Description - Exploit/Concept Code:

Several components installed by CMS 4.2 for Windows NT 4.0 allow an attacker to read/download any file outside the web root directory provided that access to any of the following servers is given:

- The Agent services server on port 8100/tcp

- The End Entity services server on port 443/tcp (This is normally accessable for any user over SSL)

- The Administrator services server listening on a random port choosen during the installation process, or on port 8200 if configured to do so (not the default behavior).

By using '\../' in the URI an attacker can get out of the server's root directory and open any file.

The following example demostrates the problem using the

End Entity services server:
A request for https://server/ca/\../\../\../\../\../\win.ini will open and display the requested file
. Admin password is stored in plantext in admin-serv\config\adm.conf.

This in addition to the previous bug will allow anyone to obtain the password remotely and perform admin duties if net access to the admin server is available.

The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.