SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Sun
(Sun Issues Fix) Re: Sun iPlanet Web Server Cross-Site Scripting and Unsafe Perl Script open() Calls Let Remote Users Execute Commands on the Server
SecurityTracker Alert ID:  1005984
SecurityTracker URL:  http://securitytracker.com/id/1005984
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 24 2003
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.* up to SP11
Description:   Two vulnerabilities were reported in Sun's iPlanet Web Server. A remote user can execute commands on the target server.

Next Generation Security Technologies issued an advisory warning that a remote user can exploit a combination of the two flaws to execute commands on the server, typically with root level privileges.

One flaw is an input validation flaw that permits cross-site scripting attacks. The other flaw is a series of unsafe open() function calls in the Admin Server Perl scripts.

To trigger the exploit, the administrator must review the log files for the web server.

In the first flaw, it is reported that the web server does not filter HTML code when writing to the log files. A remote user can create a specially crafted URL that will cause HTML code to be written to the log files. Then, when an administrator views the log files, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the iPlanet software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies) associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the administrator user.

The remote user can exploit this cross-site scripting flaw to cause the administrator's browser to call the vulnerable Admin Server Perl scripts and exploit the unsafe open() function calls. Because the administrator will already be logged in to the server (to view the log files), the Perl scripts can be invoked (they would otherwise require the administrator to log in before executing).

Some demonstration exploit code is provided:

<script>
window.location="/https-admserv/bin/perl/importInfo?dir=|<command>%00";
</script>

A demonstration exploit script is available at:

http://www.ngsec.com/downloads/exploits/iplanet-ngxss.sh

For the original advisory, see:

http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt

Impact:   A remote user can cause the administrator's browser to execute arbitrary shell commands when viewing the log file.
Solution:   Sun has released a fix (version 4.1 Service Pack 12), available at:

http://wwws.sun.com/software/download/products/WebSvr4.1sp12.html

A workaround is described in the Sun Alert for those users that are unable to upgrade:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49475

Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49475 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 19 2002 Sun iPlanet Web Server Cross-Site Scripting and Unsafe Perl Script open() Calls Let Remote Users Execute Commands on the Server



 Source Message Contents

Subject:  Sun Alert 49475


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49475

Sun issued a revised alert 49475 reporting that a fix is available for the iPlanet Web Server.

The following releases are reported to be vulnerable:

Sun ONE / iPlanet Web Server 4.1 Service Pack 11 and earlier 
Sun ONE / iPlanet Web Server 6.0 , Sun ONE Web Server 6.0 Service Pack 1 
iPlanet Web Server 4.0, all Service Packs 
Netscape Enterprise Server 3.x, all Service Packs 

Sun reports that Sun ONE Web Server 6.0 Service Packs 2 and greater are not vulnerable.

The following fix is available:

iPlanet Web Server, Enterprise Edition 4.1 Service Pack 12 
http://wwws.sun.com/software/download/products/WebSvr4.1sp12.html

A workaround is described in the Sun Alert for those users that are unable to upgrade.



-----

Sun Alert ID: 49475 
Synopsis: Security Vulnerabilities with Sun ONE Web Server 4.1SP11 and Earlier 
Category: Security 
Product: iPlanet Web Server, Sun ONE Web Server 
BugIDs: 4783074, 4739017 
Avoidance: Workaround, Upgrade 
State: Resolved 
Date Released: 12-Dec-2002, 22-Jan-2003 
Date Closed: 22-Jan-2003 
Date Modified: 07-Jan-2002, 22-Jan-2003


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC