A buffer overflow exists in the iPlanet Web Servers (Enterprise and FastTrack Editions) that may allow remote attackers to gain read access to sensitive information contained in the memory of the web server process. The information disclosed may include userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.
The problem occurs when the web server responds with a "302 Moved Temporarily" redirection error. One easy way to obtain this error is to request a URL for a directory while omitting the trailing slash. The Location: header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server.
The advisory from @Stake describing this problem in more detail is available from:
A remote attacker can obtain sensitive information from the memory of the web server, including userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.
Upgrade your Web Server
Filter HTTP Requests with Large Headers
The CERT/CC thanks Kevin Dunn and Chris Eng of @Stake, Inc. for reporting this vulnerability to the CERT/CC and working with the vendor to produce patches.
This document was written by Cory F. Cohen.
|Date First Published:||2001-04-17|
|Date Last Updated:||2001-04-17 14:28 UTC|