iPlanet web servers expose sensitive data via buffer overflow

Overview

A buffer overflow exists in the iPlanet Web Servers (Enterprise and FastTrack Editions) that may allow remote attackers to gain read access to sensitive information contained in the memory of the web server process. The information disclosed may include userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.

Description

The problem occurs when the web server responds with a “302 Moved Temporarily” redirection error. One easy way to obtain this error is to request a URL for a directory while omitting the trailing slash. The Location: header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server.

The advisory from @Stake describing this problem in more detail is available from:

<http://www.atstake.com/research/advisories/2001/a041601-1.txt&gt;

Impact

A remote attacker can obtain sensitive information from the memory of the web server, including userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.

---

Solution

Upgrade your Web Server

System administrators are encouraged to upgrade their systems to a non-vulnerable version of the web server software. Information about upgrading your web server is available from iPlanet at:

<http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html&gt;

Filter HTTP Requests with Large Headers

Sites that are able to deploy a monitoring system between the Internet and their web server may be able to detect and block packets with large amounts of header data. Possible mechanisms include an NSAPI filter, an active intrusion detection system, or a reverse-proxy web server. The @Stake advisory contains more detailed suggestions for detecting and monitoring malicious HTTP requests of this type.

---

Vendor Information

276767

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

IPlanet __ Affected

Notified: April 16, 2001 Updated: April 17, 2001

Status

Affected

Vendor Statement

iPlanet has acknowledged that this problem exists and that it affects the iPlanet Web Server (iWS) 4.x product line. iPlanet has addressed this vulnerability by issuing a fix made available in two formats: an upgrade, iWS 4.1 SP7 or an NSAPI module that will shield the server from the problem. These fixes, which eliminate the risk posed by this vulnerability, have been published to the iPlanet Web site, along with implementation instructions.

<http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23276767 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.atstake.com/research/advisories/2001/a041601-1.txt&gt;
• <http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html&gt;

Acknowledgements

The CERT/CC thanks Kevin Dunn and Chris Eng of @Stake, Inc. for reporting this vulnerability to the CERT/CC and working with the vendor to produce patches.

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2001-0327
Severity Metric:	21.09 Date Public: