SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Sun
iPlanet Web Server Input Validation Bug in Search Function Discloses Files on the System to Remote Users
SecurityTracker Alert ID:  1004731
SecurityTracker URL:  http://securitytracker.com/id/1004731
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 10 2002
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   An information disclosure vulnerability was reported in Sun's iPlanet Web Server. A remote user can view files on the system, including files that are located outside of the web document directory.

It is reported that a remote user can invoke the NS-query-pat command to specify an arbitrary pattern file and view the contents of that user-specified file. The search engine apparently does not properly validate the query pattern. A remote user can use the following type of HTTP command to view files on the server:

GET /search?NS-query-pat=..\..\..\..\..\boot.ini

According to the report, the search engine is disabled by default on version 6.0.

Impact:   A remote user can view files on the system.
Solution:   No solution was available at the time of this entry.

The author of the report indicates that you can turn off the search engine as a workaround.

Vendor URL:  www.sun.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000)
Underlying OS Comments:  Affects Windows NT and Windows 2000; Other platforms not tested

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Sun Issues Fix) Re: iPlanet Web Server Input Validation Bug in Search Function Discloses Files on the System to Remote Users
Sun has issued a fix.



 Source Message Contents

Subject:  iPlanet Remote File Viewing




Sun iPlanet Web Server Remote File Viewing Vulnerability


Vendor:
	Sun Microsystems
Product:
iPlanet Web Server 6.0 SP2
		iPlanet Web Server 4.1 SP9
		Netscape Enterprise Server 3.6
Platforms:
Windows 2000
		Windows NT
		Other platforms not tested
Category:
Information Leak
Author:
	turambar386@routergod.com
Date:
	July 9 2002


Description
-----------
Sun's iPlanet Web Server has a flaw in its search
function that allows remote viewing of any files on the
server.


Details
-------
The search engine that is included with iPlanet and
previous versions uses HTML pattern files to get and
format search parameters from users.   By using the
NS-query-pat command, a user can specify their own
query pattern file rather than using the default one
provided by the web site.  Unfortunately, the search
engine does no validity checking on the query pattern
file thus requested.  If, for instance, you telnet to
port 80 on an iWS web server and issue the command:

GET /search?NS-query-pat=..\..\..\..\..\boot.ini

iPlanet will happily provide you with the contents of
the boot.ini file.   This overrides all access control
lists.

This has been tested on all version of NES and iWS on
Windows NT and 2000.  Versions on other platforms may
not be affected.


Workaround
----------
Turn off the search engine (it is off by default on
6.0) until a fix is provided.

I have written a Snort alert for this, but in light of
David Litchfield's buffer overflow advisory, I suggest
turning off the search engine altogether.  Still, here
is the snort sig:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80
(msg:"WEB-MISC iPlanet Search Engine File Viewing";
flags:A+; uricontent:"NS-query-pat";
classtype:web-application-attack; sid:1000999; rev:1;)

You will need to put this near the top of your
web-misc.rules file otherwise an attack may be
identified simply as a web traversal attempt.


Vendor Contact Information
--------------------------
I originally wrote to Sun about this on May 22 2002 and
was advised that it would be fixed in the next Service
Pack.   David Litchfield says that 6.0 SP3/4.1 SP10 is
out, but I don't yet see it on their Product Tracker
site.   I was going to wait to release this information
until I had the Service Pack, feeling secure with my
Snort sig but decided to go ahead since it pales in
comparison to David's buffer overflow advisory.

Credit
------
This bug was originally brought to my attention by a
scan from the good folks at Qualys Corporation. 
Unfortunately, Qualys did not provide an actually
advisory on it and I could find  any such beast
elsewhere.  Hence I decided to research the problem and
write my own.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC