|
Vulnerability iPlanet/ Netscape Enterprise Web Publisher Affected Netscape Enterprise 4.1 and prior versions. Description Riley Hassell from eEye found following. The Web Publisher feature in Netscape Enterprise 4.1 is vulnerable to a buffer overflow. By sending a large buffer containing executable code and a new Instruction Pointer, an attacker is able to gain remote system shell access to the vulnerable server. The overflow itself exists in Publishers handling of the URI (Uniform Resource Identifier). By specifying GETPROPERTIES, GETATTRIBUTENAMES, or any other one of the publisher specific methods, we can pass data into vulnerable section of the server and exploit the vulnerability. Example: C:\>telnet www.example.com 80 Connecting To www.example.com... connected. GETPROPERTIES /(buffer) HTTP/1.1 Host: Hostname (enter) (enter) Where (buffer) is 2000 characters. There is no a proof of concept exploit, however expect one soon. Solution Quote from iPlanet's development team: "The security & stability of iPlanet's customer's environments is one of our paramount concerns. To ensure the stability of our customer's environments iPlanet has made available an NSAPI patch that can be applied to iPlanet Web Server, Enterprise Edition." The NSAPI patch is available at: http://iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html This issue will also be addressed by the release of iPlanet Web Server, Enterprise Edition version 4.1 Service Pack 8.