exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

safer.001026.EXP.1.8

safer.001026.EXP.1.8
Posted Oct 28, 2000
Authored by Vanja Hrustic, Fyodor Yarochkin, Thomas Dullien | Site safermag.com

S.A.F.E.R. Security Bulletin 001026.EXP.1.8 - iPlanet Web Server 4.x for Solaris, Linux, and Windows NT contains a remotely exploitable buffer overflow if server side parsing is enabled with the "parsed html" option.

tags | web, overflow
systems | linux, windows, solaris
SHA-256 | 22b7bfa6cd36594ff96d31ea269f256e311351303fa334059f3529b110ff1068

safer.001026.EXP.1.8

Change Mirror Download
__________________________________________________________

S.A.F.E.R. Security Bulletin 001026.EXP.1.8
__________________________________________________________


TITLE : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module
DATE : October 26, 2000
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Confirmed on Solaris, Linux and Windows NT

PROBLEM:

Buffer overflow exists in iPlanet Web Server 4.x, which can lead to
Denial-of-Service or remote execution of code in context of user which iWS
webserver is running as. 'Parsed HTML' option (server side parsing) must
be enabled for vulnerability to be exploited.

DETAILS:

By sending a request of 198-240 characters (depending on the iWS
version/platform) with extension .shtml (by default), it is possible to
overflow internal buffer in stack. iWS must have server side 'parsing'
turned on. By default (when enabled), .shtml files are parsed.

Overflow happens in logging function (when iWS tries to report that file
is not found). If exploitation is successful (or iWS segfaults), nothing
will remain in the logs.

EXPLOIT:

Exploit will be released in 2 weeks (this is subject to change).

FIXES:

Workaround is to disable server side parsing of HTML pages.

We are not aware of any vendor fixes for this issue. Vendor has been
notified on multiple instances (including mass-mailing to every single
vendor email we could find) about this and other problems during January
and February (including '?wp tags' - see
http://www.safermag.com/advisories/0008.shtml). The vendor published a
workaround for ?wp tags, but we have received no feedback on the SHTML
problem. On March 23rd we contacted Sun/iPlanet again and on March 24th it
was suggested to have a conference call / discussion. We never heard from
them again.

CREDITS:

Vanja Hrustic <vanja@relaygroup.com>
Fyodor Yarochkin <fyodor@relaygroup.com>
Thomas Dullien <thomas@relaygroup.com>


__________________________________________________________

S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2000 The Relay Group
http://www.safermag.com ---- security@relaygroup.com
__________________________________________________________




Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close