iPlanet Messaging Server
Created 9/11/01
Impact
A remote attacker could execute arbitrary commands with
SYSTEM privileges.
Background
The iPlanet
Messaging Server is an e-mail server for multiple
platforms. It supports the SMTP, POP3,
and IMAP4 protocols, as well as web-based e-mail.
Netscape Administration Server is a console program which
comes with iPlanet Messaging Server. It uses Basic HTTP
authentication for access control.
The Problems
Due to a buffer overflow condition in Netscape Administration
Server, it is possible for a remote attacker to execute
arbitrary code with SYSTEM privileges by
sending a long, specially crafted user name in the
authentication header. The evaluation version of iPlanet Messaging
Server 5.1 and possibly other versions are affected by
this vulnerability.
Resolution
Install a patch when one becomes available. If a patch
is unavailable, set up access control on the Administration
Server to allow access only from trusted servers. Since it
is unknown at this time exactly which versions are
vulnerable, this precaution should be taken for all versions
of iPlanet Messaging Server.
Where can I read more about this?
This vulnerability was reported in
SNS Advisory 41.