Notified:  March 08, 2005 Updated: August 10, 2006

Status

Affected

Vendor Statement

Vendor Statement: Red Hat, Inc. Netscape Enterprise Server 6.0 is vulnerable to this issue. A work around that completely blocks this issue is available below. Please note that Netscape Enterprise Server 6.0 is discontinued and Red Hat will not be releasing software updates for this issue. Workaround: Set a default error message for "Not Found" that does not include a link to the referring page. To configure such a message, follow these steps: - Log into admin server - Select an instance to manage - Select Class Manager in the upper-right - Select the Content Management tab - Select Error Responses link in left frame - You need to define a Custom Error Response for Error code: Not found. - Add the entire path to a file under File, or redirect the user elsewhere. See the Help button for more information. - Save, then Apply to restart the server Alternatively, manually add an error response, such as the following, to obj.conf: Error fn="send-error" reason="Not Found" path="/path/to/docs/errors/notfound.html" The content that Netscape Enterprise Server would send without the referring site is:

Not Found

The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.