what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

safer.001026.EXP.1.8

safer.001026.EXP.1.8
Posted Oct 28, 2000
Authored by Vanja Hrustic, Fyodor Yarochkin, Thomas Dullien | Site safermag.com

S.A.F.E.R. Security Bulletin 001026.EXP.1.8 - iPlanet Web Server 4.x for Solaris, Linux, and Windows NT contains a remotely exploitable buffer overflow if server side parsing is enabled with the "parsed html" option.

tags | web, overflow
systems | linux, windows, solaris
SHA-256 | 22b7bfa6cd36594ff96d31ea269f256e311351303fa334059f3529b110ff1068

safer.001026.EXP.1.8

Change Mirror Download
__________________________________________________________

S.A.F.E.R. Security Bulletin 001026.EXP.1.8
__________________________________________________________


TITLE : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module
DATE : October 26, 2000
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Confirmed on Solaris, Linux and Windows NT

PROBLEM:

Buffer overflow exists in iPlanet Web Server 4.x, which can lead to
Denial-of-Service or remote execution of code in context of user which iWS
webserver is running as. 'Parsed HTML' option (server side parsing) must
be enabled for vulnerability to be exploited.

DETAILS:

By sending a request of 198-240 characters (depending on the iWS
version/platform) with extension .shtml (by default), it is possible to
overflow internal buffer in stack. iWS must have server side 'parsing'
turned on. By default (when enabled), .shtml files are parsed.

Overflow happens in logging function (when iWS tries to report that file
is not found). If exploitation is successful (or iWS segfaults), nothing
will remain in the logs.

EXPLOIT:

Exploit will be released in 2 weeks (this is subject to change).

FIXES:

Workaround is to disable server side parsing of HTML pages.

We are not aware of any vendor fixes for this issue. Vendor has been
notified on multiple instances (including mass-mailing to every single
vendor email we could find) about this and other problems during January
and February (including '?wp tags' - see
https://www.safermag.com/advisories/0008.shtml). The vendor published a
workaround for ?wp tags, but we have received no feedback on the SHTML
problem. On March 23rd we contacted Sun/iPlanet again and on March 24th it
was suggested to have a conference call / discussion. We never heard from
them again.

CREDITS:

Vanja Hrustic <vanja@relaygroup.com>
Fyodor Yarochkin <fyodor@relaygroup.com>
Thomas Dullien <thomas@relaygroup.com>


__________________________________________________________

S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2000 The Relay Group
https://www.safermag.com ---- security@relaygroup.com
__________________________________________________________




Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close