(Sun Issues Fix) Re: Sun iPlanet Web Server Cross-Site Scripting and Unsafe Perl Script open() Calls Let Remote Users Execute Commands on the Server
SecurityTracker Alert ID: 1005984|
SecurityTracker URL: http://securitytracker.com/id/1005984
(Links to External Site)
Date: Jan 24 2003
Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 4.* up to SP11|
Two vulnerabilities were reported in Sun's iPlanet Web Server. A remote user can execute commands on the target server.|
Next Generation Security Technologies issued an advisory warning that a remote user can exploit a combination of the two flaws to execute commands on the server, typically with root level privileges.
One flaw is an input validation flaw that permits cross-site scripting attacks. The other flaw is a series of unsafe open() function calls in the Admin Server Perl scripts.
To trigger the exploit, the administrator must review the log files for the web server.
In the first flaw, it is reported that the web server does not filter HTML code when writing to the log files. A remote user can create a specially crafted URL that will cause HTML code to be written to the log files. Then, when an administrator views the log files, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the iPlanet software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies) associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the administrator user.
The remote user can exploit this cross-site scripting flaw to cause the administrator's browser to call the vulnerable Admin Server Perl scripts and exploit the unsafe open() function calls. Because the administrator will already be logged in to the server (to view the log files), the Perl scripts can be invoked (they would otherwise require the administrator to log in before executing).
Some demonstration exploit code is provided:
A demonstration exploit script is available at:
For the original advisory, see:
A remote user can cause the administrator's browser to execute arbitrary shell commands when viewing the log file.|
Sun has released a fix (version 4.1 Service Pack 12), available at:|
A workaround is described in the Sun Alert for those users that are unable to upgrade:
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49475 (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Sun Alert 49475|
Sun issued a revised alert 49475 reporting that a fix is available for the iPlanet Web Server.
The following releases are reported to be vulnerable:
Sun ONE / iPlanet Web Server 4.1 Service Pack 11 and earlier
Sun ONE / iPlanet Web Server 6.0 , Sun ONE Web Server 6.0 Service Pack 1
iPlanet Web Server 4.0, all Service Packs
Netscape Enterprise Server 3.x, all Service Packs
Sun reports that Sun ONE Web Server 6.0 Service Packs 2 and greater are not vulnerable.
The following fix is available:
iPlanet Web Server, Enterprise Edition 4.1 Service Pack 12
A workaround is described in the Sun Alert for those users that are unable to upgrade.
Sun Alert ID: 49475
Synopsis: Security Vulnerabilities with Sun ONE Web Server 4.1SP11 and Earlier
Product: iPlanet Web Server, Sun ONE Web Server
BugIDs: 4783074, 4739017
Avoidance: Workaround, Upgrade
Date Released: 12-Dec-2002, 22-Jan-2003
Date Closed: 22-Jan-2003
Date Modified: 07-Jan-2002, 22-Jan-2003