SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#276767

iPlanet web servers expose sensitive data via buffer overflow

Overview

A buffer overflow exists in the iPlanet Web Servers (Enterprise and FastTrack Editions) that may allow remote attackers to gain read access to sensitive information contained in the memory of the web server process. The information disclosed may include userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.

I. Description

The problem occurs when the web server responds with a "302 Moved Temporarily" redirection error. One easy way to obtain this error is to request a URL for a directory while omitting the trailing slash. The Location: header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server.

The advisory from @Stake describing this problem in more detail is available from:

II. Impact

A remote attacker can obtain sensitive information from the memory of the web server, including userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.

III. Solution

Upgrade your Web Server


System administrators are encouraged to upgrade their systems to a non-vulnerable version of the web server software. Information about upgrading your web server is available from iPlanet at:


Filter HTTP Requests with Large Headers

Sites that are able to deploy a monitoring system between the Internet and their web server may be able to detect and block packets with large amounts of header data. Possible mechanisms include an NSAPI filter, an active intrusion detection system, or a reverse-proxy web server. The @Stake advisory contains more detailed suggestions for detecting and monitoring malicious HTTP requests of this type.

Systems Affected
VendorStatusDate NotifiedDate Updated
IPlanetVulnerable17-Apr-2001

References


http://www.atstake.com/research/advisories/2001/a041601-1.txt
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html

Credit

The CERT/CC thanks Kevin Dunn and Chris Eng of @Stake, Inc. for reporting this vulnerability to the CERT/CC and working with the vendor to produce patches.

This document was written by Cory F. Cohen.

Other Information

Date Public:2001-04-16
Date First Published:2001-04-17
Date Last Updated:2001-04-17
CERT Advisory: 
CVE-ID(s):CAN-2001-0327
NVD-ID(s):CAN-2001-0327
US-CERT Technical Alerts: 
Metric:21.09
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader