iPlanet Vulnerabilities

Updated 8/12/02
CVE 2000-1077
CVE 2001-0327
CAN 2001-0431
CAN 2001-0746
CAN 2001-0747
CVE 2002-0845

Impact

Buffer overflows in the iPlanet Web Server could allow a remote attacker to execute arbitrary commands, create a denial of service, or view pieces of other users' sessions.

Background

The Sun ONE / iPlanet Web Server has a number of different vulnerabilities involving buffer overflow. NOTE: iPlanet is now a division of Sun, and is a core component of the Sun Open Net Environment (ONE).

The Problems

Buffer Overflow in Chunked Transfer Encoding

8/12/02
CAN 2002-0845
An attacker could cause a buffer overflow in the web server by sending an improperly formed request using chunked transfer encoding. This will crash the web server causing a denial of service and opens the possibility for the attacker to execute malicious code as the web server process. This vulnerability affects Sun ONE / iPlanet Web Server 4.1 and 6.0.

Web Publishing denial of service

1/17/02
When web publishing is enabled, web publishing commands can be passed to the server through a web browser by appending the commands to the server's URL. One such command, wp-html-rend causes the server to stop responding. Therefore, by sending a request such as http://server/?wp-html-rend to the server one or more times, an attacker could deny service to legitimate users. This vulnerability affects iPlanet 4.0 and 4.1 through service pack 8 running on Windows platforms.

Server Side Parsing vulnerability

CVE 2000-1077
iPlanet Web Server can be configured to run with server side parsing, allowing files on the server to be dynamically included in a web page before being sent to the client. Files ending in .shtml are processed with server side parsing. By sending a very long HTTP request ending in the .shtml extension, it is possible to cause a buffer overflow, which could be used to create a denial of service or to execute arbitrary code. This vulnerability affects iPlanet 4.0 and 4.1 web servers with server side parsing enabled.

Memory Leak

CVE 2001-0327
CAN 2001-0431
A buffer overflow in the processing of HTTP headers in iPlanet 4.0 and 4.1 web servers could result in a memory leak. By supplying a specially crafted Host: header in an HTTP request, an attacker could create a denial of service or read parts of the server's memory space which should not be accessible. In some cases, this memory space could contain pieces of other users' sessions, including authentication information which could be used to hijack those sessions.

Buffer overflow in HTTP method or URI request

CAN 2001-0746
CAN 2001-0747
By sending an invalid method or URI request, an attacker could cause the web server to stop responding. This vulnerability affects iPlanet web server version 4.1, service pack 3 through 7.

Web Publisher buffer overflow

5/18/01
In addition to standard HTTP request methods such as GET and POST, Netscape recognizes several other request methods, such as GETPROPERTIES and GETATTRIBUTENAMES. These request methods are part of Netscape's Web Publisher feature. A buffer overflow condition in the processing of these Web Publisher methods could allow a remote attacker to execute arbitrary code. Netscape Enterprise Server and iPlanet 4.1 (service pack 7) and earlier are affected by this vulnerability.

Resolutions

Upgrade to iPlanet 4.1 with service pack 11 or higher, or Sun ONE / iPlanet 6.0 with service pack 4 or higher. If web publishing is enabled, also disable the wp-html-rend command using the NSAPI referenced in iPlanet Knowledge Base Article 7761.

Where can I read more about this?

The Sun ONE / iPlanet chunked transfer buffer overflow is explained in a Sun Security Advisory. The Web Publishing denial of service is described in ProCheckUp Security Bulletin 01-04 and CERT Vulnerability Note 191763. The vulnerability in server side parsing was discussed in S.A.F.E.R. Security Bulletin 001026.EXP.1.8. The memory leak in the processing of HTTP headers was reported in @stake advisory 04.16.01. The buffer overflow in Web Publishing was reported in eEye security advisory AD20010515.