Vulnerability Note VU#276767

iPlanet web servers expose sensitive data via buffer overflow

Original Release date: 17 Apr 2001 | Last revised: 17 Apr 2001

Overview

A buffer overflow exists in the iPlanet Web Servers (Enterprise and FastTrack Editions) that may allow remote attackers to gain read access to sensitive information contained in the memory of the web server process. The information disclosed may include userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.

Description

The problem occurs when the web server responds with a "302 Moved Temporarily" redirection error. One easy way to obtain this error is to request a URL for a directory while omitting the trailing slash. The Location: header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server.

The advisory from @Stake describing this problem in more detail is available from:

Impact

A remote attacker can obtain sensitive information from the memory of the web server, including userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.

Solution

Upgrade your Web Server

System administrators are encouraged to upgrade their systems to a non-vulnerable version of the web server software. Information about upgrading your web server is available from iPlanet at:

Filter HTTP Requests with Large Headers

Sites that are able to deploy a monitoring system between the Internet and their web server may be able to detect and block packets with large amounts of header data. Possible mechanisms include an NSAPI filter, an active intrusion detection system, or a reverse-proxy web server. The @Stake advisory contains more detailed suggestions for detecting and monitoring malicious HTTP requests of this type.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
IPlanetAffected16 Apr 200117 Apr 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Kevin Dunn and Chris Eng of @Stake, Inc. for reporting this vulnerability to the CERT/CC and working with the vendor to produce patches.

This document was written by Cory F. Cohen.

Other Information

  • CVE IDs: CAN-2001-0327
  • Date Public: 16 Apr 2001
  • Date First Published: 17 Apr 2001
  • Date Last Updated: 17 Apr 2001
  • Severity Metric: 21.09
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.