SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Sun
(Sun Issues Fix) Re: iPlanet Web Server Log Analyzer Input Filtering Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks Against Administrators
SecurityTracker Alert ID:  1008210
SecurityTracker URL:  http://securitytracker.com/id/1008210
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 17 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0 Service Pack 5 and prior; 4.1 Service Pack 12 and prior
Description:   An input validation vulnerability was reported in the iPlanet Web Server in the Log Analyzer. A remote user can cause arbitrary scripting code to be executed by a target administrator when the target administrator views a log file.

In March 2003, Infohacking Research reported that a remote user can set a malicious hostname containing HTML scripting code in the domain name system (DNS) and then make an HTTP request to a target server. If the target iPlanet Web Server is configured to perform inverse hostname lookups, the user-supplied HTML scripting code may be recorded in the web server log file.

When a target administrator runs the Log Analyzer to view the affected log entry, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the Log Analyzer application and will run in the security context of that application. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the security zone that the application runs in, access data recently submitted by the target administrator via web form to the application, or take actions on the application acting as the target administrator.

Some demonstration exploit hostnames are provided:

<script>alert( a )&lt;/script&gt;
<script>alert( a )&lt;/script&gt;.infohacking.com
<script>alert( a )&lt;/script&gt;.infohacking.com

Some images showing the effects of a demonstration exploit is available at:

http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/ILLC/cap-report-html.gif

http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/ILLC/cap-report-text.gif

Impact:   A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the security zone that the iPlanet administrative interface runs in, access data recently submitted by the target administrator via web form to the application, or take actions on the application acting as the target administrator.
Solution:   Sun has issued the following fixes.

Sun ONE/iPlanet Web Server 6.0 Service Pack 6 or later, available at:

http://wwws.sun.com/software/download/products/3f186391.html

Sun ONE/iPlanet Web Server 4.1 Service Pack 13 or later, available at:

http://wwws.sun.com/software/download/products/3f8472da.html

Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57418 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Linux), Linux (Sun), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 17 2003 iPlanet Web Server Log Analyzer Input Filtering Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks Against Administrators



 Source Message Contents

Subject:  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57418


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57418

57418 	  	Sun One Web Server Log Analyzer Vulnerability 	  	14 Nov 2003

Sun reported that when the Sun ONE Web Server is configured to log client hostnames 
instead of IP addresses, a remote user can embed malicious code into the log file.

The following versions are affected:

     * Sun ONE/iPlanet Web Server 6.0 Service Pack 5 and earlier
     * Sun ONE/iPlanet Web Server 4.1 Service Pack 12 and earlier

Sun has issued the following fixes:

     * Sun ONE/iPlanet Web Server 6.0 Service Pack 6 or later

Available at: http://wwws.sun.com/software/download/products/3f186391.html

     * Sun ONE/iPlanet Web Server 4.1 Service Pack 13 or later

Available at: http://wwws.sun.com/software/download/products/3f8472da.html

-----

     * Sun Alert ID: 57418
     * Synopsis: Sun One Web Server Log Analyzer Vulnerability
     * Category: Security
     * Product: Sun ONE Web Server
     * BugIDs: 4855546
     * Avoidance: Upgrade
     * State: Resolved
     * Date Released: 14-Nov-2003
     * Date Closed: 14-Nov-2003
     * Date Modified:


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC