Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

defcom.netscape-enterprise.txt

🗓️ 02 Feb 2001 00:00:00Reported by Defcom LabsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

Netscape Enterprise Server 4.1, SP5 crashes from dotdot-URLs, no workaround available.

Code
`======================================================================  
Defcom Labs Advisory def-2001-04  
  
Netscape Enterprise Server Dot-DoS  
  
Author: Peter Gründl <[email protected]>  
Release Date: 2001-01-22  
======================================================================  
------------------------=[Brief Description]=-------------------------  
The Netscape Enterprise Server 4.1, SP5 has a problem dealing with  
dotdot-URLs. The problem can result in the service crashing.  
  
------------------------=[Affected Systems]=--------------------------  
- Netscape Enterprise Server 4.1, SP5 for Windows NT 4.0  
  
----------------------=[Detailed Description]=------------------------  
If a GET request is performed which includes at least 1344 x /../, the  
web service will crash. This goes for both the normal HTTP service and  
the admin service. The crash has to be performed twice, since NES will  
reestablish the service the first time it crashes.  
  
---------------------------=[Workaround]=-----------------------------  
None known. We've only come across this bug on 4.1, SP5, but would not  
rule out the possibility of it existing in other versions.  
  
-------------------------=[Vendor Response]=--------------------------  
This issue was brought to the vendor's attention on the 7th of  
December, 2000. Vendor replied on the 22nd of January, 2001 and has  
been unable to reproduce the bug:  
  
"I've used their perl script to abuse an iWS4.1sp5 server. The server  
does not crash, politetly returns errors to the client, and logs  
errors.  
  
However, given the announcement on the Iplanet Web site regarding iWS  
stability I would recommend they upgrade to SP6, URL given below.  
  
http://www.iplanet.com/support/iws-alert/index.html"  
  
According to the URL supplied by Netscape, there is no SP6 for IWS4.1,  
so it is adviced that people try this out for themselves to determine  
if they are vulnerable. It was found on Windows NT 4.0, with SP6a.  
  
======================================================================  
This release was brought to you by Defcom Labs  
  
[email protected] www.defcom.com  
======================================================================  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2001 00:00Current
7.4High risk
Vulners AI Score7.4
netscape enterprise serverdot-dos vulnerabilityservice crashaffected versionsno workaroundvendor response
31