iPlanet Vulnerabilities

Updated (3.3)

CVE 2000-1077

Impact

Buffer overflows in the iPlanet Web Server could allow a remote attacker to execute arbitrary commands, create a denial of service, or view pieces of other users' sessions.

Background

The iPlanet Web Server can be configured to run with server side parsing, allowing files on the server to be dynamically included in a web page before being sent to the client. Files ending in .shtml are processed with server side parsing.

The Problems


Server Side Parsing vulnerability

By sending a very long HTTP request ending in the .shtml extension, it is possible to cause a buffer overflow, which could be used to create a denial of service or to execute arbitrary code. This vulnerability affects iPlanet 4.0 and 4.1 web servers with server side parsing enabled.


Memory Leak

A buffer overflow in the processing of HTTP headers in iPlanet 4.0 and 4.1 web servers could result in a memory leak. By supplying a specially crafted Host: header in an HTTP request, an attacker could create a denial of service or read parts of the server's memory space which should not be accessible. In some cases, this memory space could contain pieces of other users' sessions, including authentication information which could be used to hijack those sessions.


Buffer overflow in HTTP method or URI request

By sending an invalid method or URI request, an attacker could cause the web server to stop responding. This vulnerability affects iPlanet web server version 4.1, service pack 3 through 7.


Web Publisher buffer overflow

In addition to standard HTTP request methods such as GET and POST, Netscape recognizes several other request methods, such as GETPROPERTIES and GETATTRIBUTENAMES. These request methods are part of Netscape's Web Publisher feature. A buffer overflow condition in the processing of these Web Publisher methods could allow a remote attacker to execute arbitrary code. Netscape Enterprise Server and iPlanet 4.1 (service pack 7) and earlier are affected by this vulnerability.

Resolutions

Upgrade to iPlanet 4.1 with service pack 8 or higher. If service pack 8 is unavailable, upgrade to iPlanet 4.1 with service pack 7, and install the NSAPI.

Alternatively, the first problem can be fixed by disabling server side parsing, and the second can be fixed by applying the NSAPI module.

Where can I read more about this?

The vulnerability in server side parsing was discussed in S.A.F.E.R. Security Bulletin 001026.EXP.1.8. The memory leak in the processing of HTTP headers was reported in @stake advisory 04.16.01. The buffer overflow in Web Publishing was reported in eEye security advisory AD20010515.