SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Netscape, Sun
iPlanet Web Server Allows Remote Users to Corrupt Data on the Server and May Allow Remote Users to Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1001338
SecurityTracker URL:  http://securitytracker.com/id/1001338
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2001
Impact:   Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.x
Description:   iPlanet has release a security advisory warning of a vulnerability in iPlanet Web Server Enterprise Edition 4.x products that allows remote users to execute arbitrary code on the server.

The vendor's advisory is void of details.

However, the vendor warns that without this patch/upgrade, the problem will persist and affect the site's data security, potentially leading to a data corruption event.

The vendor also indicates that the vulnerability is a buffer overflow and can be exploited with malformed HTTP headers.

Impact:   A remote user could cause data on the server to be corrupted and may be able to cause arbitrary code to be executed by the web server.
Solution:   The vendor indicates that this vulnerability can be fixed by upgrading to iPlanet Web Server version 4.1sp7 or by installing this NSAPI module. However, they warn of a potential performance impact in using the NSAPI solution and recommend that it should be a short-term solution while upgrading to iPlanet Web Server 4.1sp7.
Vendor URL:  www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  iPlanet Web Server 4.x Product Alert


i'm sending this because I was not able to find it in the bugtraq archive
yet. iPlanet does not seem to inform bugtraq (why?). The information posted
herein can be found in
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html

---------------------------------------------------------------------
Important iPlanet Web Server 4.x Product Alert:
Recommend Immediate Patch/Upgrade

April 16, 2001

iPlanet has identified a security vulnerability in the iPlanet
Web Server Enterprise Edition 4.x products. This problem does
not affect any releases of the product prior to the 4.x versions;
however it does affect all iPlanet applications operating on the
iPlanet Web Server platform. A patch and implementation
instructions to address it are now available.

Without this patch/upgrade, the problem will persist and affect
your site's data security, potentially leading to a data corruption
event. iPlanet urges all users of the iPlanet Web Server to
upgrade immediately to prevent any potential data security
risks.


This problem can be addressed by upgrading to iPlanet Web
Server version 4.1sp7 or by installing this NSAPI module.

Due to a potential performance impact the use of the NSAPI
solution should be a short-term solution while undertaking the
steps necessary to upgrade to iPlanet Web Server 4.1sp7.

---------------------------------------------------------------------

Cheers /Sepp

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC