SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#630355

Netscape and iPlanet Enterprise Servers fail to sanitize log files before they are displayed using the administration client

Overview

IPlanet Enterprise Server and Netscape Enterprise Server versions prior to 4.1. SP12 have a vulnerability involving the rendering of <SCRIPT> tags embedded in the web logs when viewed through the administration client.

I. Description

Requests made to web servers are routinely logged by the web server to a log file, even if these requests are invalid or malicious in some way. Normally, this presents no security problems, and in fact allows administrators to record possible attacks against their system. However, in iPlanet Enterprise Server and Netscape Enterprise server versions prior to 4.1. SP12, these malicious log entries are not correctly sanitized before being viewed through the browser-based administration client. This allows a remote attacker to embed malicious <SCRIPT> tags in the URL of requests, which may be later executed by the administrator when reviewing the logs.

When the malicious script embedded in the log files is viewed through the administration client, the administrator has already authenticated to the web server, and has additional privileges. In particular, by redirecting the administrator to other pages in the administration client, the attacker can perform certain administration activities including starting or stopping the web server.

iPlanet and Netscape servers with versions greater than 4.1 SP12 (including 6.x) are not vulnerable to this problem. Netscape web server versions prior to the iPlanet alliance are vulnerable. The problem is reported to have existed in some versions of 6.x prior to SP2.

II. Impact

A remote attacker can execute arbitrary script as the administrator of the server by embedding <SCRIPT> tags in URL requests that are subsequently viewed in the administration client. Because the administrator has authenticated to the server via the administration client at the time the malicious script is executed, the malicious script can take administration actions on the server, including starting or stopping the server. Attackers may also be able to perform other server administration actions.

III. Solution

Apply a Patch


System administrators are encouraged to apply service pack 12 which corrects this vulnerability.

Systems Affected

VendorStatusDate NotifiedDate Updated
iPlanetVulnerable8-Oct-2002
Netscape Communications Corporation Vulnerable9-Dec-2002
Sun Microsystems Inc.Vulnerable27-Mar-2003

References


http://www.procheckup.com/security_info/vuln_pr0215.html
http://securitytracker.com/alerts/2002/Dec/1005755.html

Credit

Thanks to Steve Knight at ProCheckup for reporting this vulnerability to the CERT/CC on July 25th, 2002, and working for many weeks to notify vendors and wait for patches to be available.

This document was written by Cory F. Cohen.

Other Information

Date Public:2002-12-04
Date First Published:2002-12-09
Date Last Updated:2003-03-27
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:1.37
Document Revision:7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader