CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
86.6%
A buffer overflow exists in the iPlanet Web Servers (Enterprise and FastTrack Editions) that may allow remote attackers to gain read access to sensitive information contained in the memory of the web server process. The information disclosed may include userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.
The problem occurs when the web server responds with a “302 Moved Temporarily” redirection error. One easy way to obtain this error is to request a URL for a directory while omitting the trailing slash. The Location: header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server.
The advisory from @Stake describing this problem in more detail is available from:
A remote attacker can obtain sensitive information from the memory of the web server, including userids, passwords, cookies or authentication data belonging to other users of the web server. With this data the attacker may be able to falsely authenticate themselves to the web server as other users. In some cases, the attacker may be able to prevent the normal operation of the web server using this vulnerability.
Upgrade your Web Server
System administrators are encouraged to upgrade their systems to a non-vulnerable version of the web server software. Information about upgrading your web server is available from iPlanet at:
Filter HTTP Requests with Large Headers
Sites that are able to deploy a monitoring system between the Internet and their web server may be able to detect and block packets with large amounts of header data. Possible mechanisms include an NSAPI filter, an active intrusion detection system, or a reverse-proxy web server. The @Stake advisory contains more detailed suggestions for detecting and monitoring malicious HTTP requests of this type.
276767
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 16, 2001 Updated: April 17, 2001
Affected
iPlanet has acknowledged that this problem exists and that it affects the iPlanet Web Server (iWS) 4.x product line. iPlanet has addressed this vulnerability by issuing a fix made available in two formats: an upgrade, iWS 4.1 SP7 or an NSAPI module that will shield the server from the problem. These fixes, which eliminate the risk posed by this vulnerability, have been published to the iPlanet Web site, along with implementation instructions.
<http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23276767 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT/CC thanks Kevin Dunn and Chris Eng of @Stake, Inc. for reporting this vulnerability to the CERT/CC and working with the vendor to produce patches.
This document was written by Cory F. Cohen.
CVE IDs: | CVE-2001-0327 |
---|---|
Severity Metric: | 21.09 Date Public: |