iPlanet Remote File Viewing

2002-07-10T00:00:00
ID SECURITYVULNS:DOC:3187
Type securityvulns
Reporter Securityvulns
Modified 2002-07-10T00:00:00

Description

Sun iPlanet Web Server Remote File Viewing Vulnerability

Vendor:

    Sun Microsystems

Product:

iPlanet Web Server 6.0 SP2

            iPlanet Web Server 4.1 SP9

            Netscape Enterprise Server 3.6

Platforms:

Windows 2000

            Windows NT

            Other platforms not tested

Category:

Information Leak

Author:

    turambar386@routergod.com

Date:

    July 9 2002

Description


Sun's iPlanet Web Server has a flaw in its search

function that allows remote viewing of any files on the

server.

Details


The search engine that is included with iPlanet and

previous versions uses HTML pattern files to get and

format search parameters from users. By using the

NS-query-pat command, a user can specify their own

query pattern file rather than using the default one

provided by the web site. Unfortunately, the search

engine does no validity checking on the query pattern

file thus requested. If, for instance, you telnet to

port 80 on an iWS web server and issue the command:

GET /search?NS-query-pat=..\..\..\..\..\boot.ini

iPlanet will happily provide you with the contents of

the boot.ini file. This overrides all access control

lists.

This has been tested on all version of NES and iWS on

Windows NT and 2000. Versions on other platforms may

not be affected.

Workaround


Turn off the search engine (it is off by default on

6.0) until a fix is provided.

I have written a Snort alert for this, but in light of

David Litchfield's buffer overflow advisory, I suggest

turning off the search engine altogether. Still, here

is the snort sig:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80

(msg:"WEB-MISC iPlanet Search Engine File Viewing";

flags:A+; uricontent:"NS-query-pat";

classtype:web-application-attack; sid:1000999; rev:1;)

You will need to put this near the top of your

web-misc.rules file otherwise an attack may be

identified simply as a web traversal attempt.

Vendor Contact Information


I originally wrote to Sun about this on May 22 2002 and

was advised that it would be fixed in the next Service

Pack. David Litchfield says that 6.0 SP3/4.1 SP10 is

out, but I don't yet see it on their Product Tracker

site. I was going to wait to release this information

until I had the Service Pack, feeling secure with my

Snort sig but decided to go ahead since it pales in

comparison to David's buffer overflow advisory.

Credit


This bug was originally brought to my attention by a

scan from the good folks at Qualys Corporation.

Unfortunately, Qualys did not provide an actually

advisory on it and I could find any such beast

elsewhere. Hence I decided to research the problem and

write my own.