Novell eDirectory/iMonitor Remote Code Execution Security Advisory: Novell's HTTP Protocol Stack (httpstk) is a component of iMonitor which provides a web-based interface for management of eDirectory, an LDAP service forming the basis for many of the world s largest identity-management deployments. The code fails to check the length of client-supplied HTTP Host request-header (e.g. Host: www.host.com) values before using them to build a formatted URL into an inadequate, statically-sized buffer on the stack. This condition occurs in a call to snprintf() while the server is preparing an HTTP redirect response and can be triggered remotely, before any authentication takes place. This can allow attacker supplied code to be executed on vulnerable systems.
83f493818d78f80ff8f029bc85f643e0e2806d60376926715e9dc35b65088b58