||Home : Advisories : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module|
||Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module
||26th October 2000
S.A.F.E.R. Security Bulletin 001026.EXP.1.8
TITLE : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module
DATE : October 26, 2000
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Confirmed on Solaris, Linux and Windows NT
Buffer overflow exists in iPlanet Web Server 4.x, which can lead to
Denial-of-Service or remote execution of code in context of user which iWS
webserver is running as. 'Parsed HTML' option (server side parsing) must
be enabled for vulnerability to be exploited.
By sending a request of 198-240 characters (depending on the iWS
version/platform) with extension .html (by default), it is possible to
overflow internal buffer in stack. iWS must have server side 'parsing'
turned on. By default (when enabled), .html files are parsed.
Overflow happens in logging function (when iWS tries to report that file
is not found). If exploitation is successful (or iWS segfaults), nothing
will remain in the logs.
Exploit will be released in 2 weeks (this is subject to change).
Workaround is to disable server side parsing of HTML pages.
We are not aware of any vendor fixes for this issue. Vendor has been
notified on multiple instances (including mass-mailing to every single
vendor email we could find) about this and other problems during January
and February (including '?wp tags' - see
http://www.safermag.com/advisories/0008.html). The vendor published a
workaround for ?wp tags, but we have received no feedback on the SHTML
problem. On March 23rd we contacted Sun/iPlanet again and on March 24th it
was suggested to have a conference call / discussion. We never heard from
S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2000 The Relay Group
http://www.safermag.com ---- firstname.lastname@example.org