SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Netscape, Sun
iPlanet Web Server Can Be Crashed By Remote Users Sending a Certain Publishing Command
SecurityTracker Alert ID:  1003155
SecurityTracker URL:  http://securitytracker.com/id/1003155
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 8 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0 SP2,SP6 to 4.1 SP8
Description:   ProCheckUp reported a denial of service vulnerability in the iPlanet Web Server. A remote user can cause the web service to crash if the server has 'publishing' enabled.

It is reported that a remote user can send the following type of URL to be web server one or more times to cause the service to crash, requiring a manual restart to return to normal operations:

http://server/?wp-html-rend

This flaw can apparently be triggered only if publishing is enabled.

Impact:   A remote user can cause the web service to crash, requiring a manual restart to return to normal operations.
Solution:   It is reported that the ?wp-html-rend command can be disabled by using the NSAPI SAF. To install the SAF, load the disrend.dll on your system and add the following lines to your obj.conf. The PathCheck line should be the first PathCheck listed.

Init fn="load-modules" funcs="disRend" shlib="/disrend.dll"
PathCheck fn="disRend"

The Netscape disrend.dll file is available at:

http://www.procheckup.com/vulnerabilities/fix/disrend.dll

Vendor URL:  www.iplanet.com/products/iplanet_web_enterprise/home_2_1_1m.html (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (NT)

Message History:   None.


 Source Message Contents

Subject:  Netscape ?wp-html-rend denial of service attack


8th January 2002:

              ProCheckUp Security Bulletin PR01-04

              CERT:
                             VU#191763
              Description:
                             Netscape ?wp-html-rend denial of
                             service attack
              Date:
                             30/07/2001
              Date Public:
                             08/01/2002
              Application:
                             Netscape Enterprise 4.0 SP2,SP6 to 4.1
                             SP8
              Platform:
                             Windows NT
              Severity:
                             Remote attackers can shut down
                             servers remotely
              Author:
                             Richard Brain
              Vendor Status:
                             Netscape has released a fix
              CVE Candidate:
                             Not assigned


Description:

Remote attackers can easily disable unpatched Netscape
Enterprise servers running on Windows NT with publishing
enabled. http://server/?wp-html-rend is entered in the
WebBrowser, it might need to be entered multiple times
to stop the service. 

Consequences: 

Remote attackers can easily perform a denial of service
attack on Netscape Enterprise servers running with
Windows NT.

Detailed description: 

Netscape Enterprise has a selection of ?wp-* (Web
publishing) commands built into the web server. We have
found using one of these commands ?wp-html-rend
reliably performs a denial of service attack, by stopping
the running Netscape Enterprise service (v4.0) Or the
iWS service (v4.1)

Publishing needs to be enabled for this to work. Netscape
4.0 SP6 seems to be less susceptible requiring multiple
?wp-html-rend requests to crash.
The service has to be restarted manually, for the server
to function properly again. We do not believe it is
possible to use this exploit to remotely execute code.

?wp-html-rend is one of the wp command's, provided by
Netscapes content_mgr.dll
To discover if publishing is enabled without crashing your
NT servers, enter the following url http://server/publisher
if publishing is enabled a page should appear.
Our test platforms for this vulnerability were conducted
on Intel NT4 SP6 server, and Sparc Solaris Server 2.6.

Solution:

The ?wp-html-rend command is not useful in iWS 4.x.
You can disable it by using the attached NSAPI SAF. To
install the SAF, load the disrend.dll on your system and
add the following lines to your obj.conf. The PathCheck
line should be the first PathCheck listed.

Init fn="load-modules" funcs="disRend" shlib="/disrend.dll"
PathCheck fn="disRend"

Attached file:

Netscape has released the file disrend.dll

Further information:

To see the vulnerability release go to iPlanet/7761
or CERT/191763

For related topics go to iPlanet/4302 

Legal: 

Copyright 2001 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this
bulletin to the Internet community for the purpose of
alerting them to problems, if and only if, the bulletin is
not edited or changed in any way, is attributed to
ProCheckUp, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.
ProCheckUp is not liable for any misuse of this information
by any third party.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC