[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module

Title: Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module
Released by: S.A.F.E.R.
Date: 26th October 2000
Printable version: Click here

      S.A.F.E.R. Security Bulletin 001026.EXP.1.8


TITLE    : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module

DATE     : October 26, 2000

NATURE   : Remote execution of code, Denial-of-Service

AFFECTED : Confirmed on Solaris, Linux and Windows NT


Buffer overflow exists in iPlanet Web Server 4.x, which can lead to

Denial-of-Service or remote execution of code in context of user which iWS

webserver is running as. 'Parsed HTML' option (server side parsing) must

be enabled for vulnerability to be exploited.


By sending a request of 198-240 characters (depending on the iWS

version/platform) with extension .html (by default), it is possible to

overflow internal buffer in stack. iWS must have server side 'parsing'

turned on. By default (when enabled), .html files are parsed.

Overflow happens in logging function (when iWS tries to report that file

is not found). If exploitation is successful (or iWS segfaults), nothing

will remain in the logs.


Exploit will be released in 2 weeks (this is subject to change).


Workaround is to disable server side parsing of HTML pages.

We are not aware of any vendor fixes for this issue. Vendor has been

notified on multiple instances (including mass-mailing to every single

vendor email we could find) about this and other problems during January

and February (including '?wp tags' - see

http://www.safermag.com/advisories/0008.html). The vendor published a

workaround for ?wp tags, but we have received no feedback on the SHTML

problem. On March 23rd we contacted Sun/iPlanet again and on March 24th it

was suggested to have a conference call / discussion. We never heard from

them again.


Vanja Hrustic 

Fyodor Yarochkin 

Thomas Dullien 


   S.A.F.E.R. - Security Alert For Enterprise Resources

          Copyright (c) 2000 The Relay Group

  http://www.safermag.com  ----  security@relaygroup.com


(C) 1999-2000 All rights reserved.