Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: WebSphere application server plugin issue & vendor fix
From: Rude Yak (rudeyakYAHOO.COM)
Date: Fri Sep 15 2000 - 14:23:28 CDT
- Next message: Jouko Pynnönen: "klogd format bug"
- Previous message: Imran Ghory: "Internet Shopper Ltd's Mail Server Open relay bug."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've had the opportunity to work with IBM WebSphere application server for a
few months now and, in the course of playing around with some buffer overrun
testing, a potential issue came up. WebSphere uses the HTTP Host: header to
decide which WAS Virtual Host will service a particular request. Based on this
feature, I decided to see what would happen if I sent huge amounts of data in
the Host: request header. I found the following:
GET /servletsnoop HTTP/1.0
Host: xxxxxxxxxxxxxxxxxxxxxxxx(1092+ characters)
resulted in the following IBMHTTPD log entry:
[Fri May 26 12:00:54 2000] [notice] child pid 11306 exit signal Segmentation
It turned out that, depending on how many bytes were in the Host: header, I
could cause the web server process to fault on either signal 11 (SIGSEGV) or
signal 10 (SIGBUS). Here's the IBM HTTPD banner:
The machine on which I tested was a Solaris 2.6 server with IBMHTTPD and
WebSphere 3.0.2. I verified that the problem was with the WAS plugin (and not
IBMHTTPD) by commenting out all references to the WAS DSO and running the same
requests - Apache/IBMHTTPD handled them appropriately. Although it did not
look like any core dumps were generated and IBMHTTPD did not stop taking
requests, the process that handled that particular request did die rather
unceremoniously and the potential for abuse seemed significant enough that I
brought it up with the vendor. IBM was able to reproduce the issue and stated
that it was not exploitable (used to gain access or elevated privilege on the
web server machine). Nonetheless, the problem has since been fixed by IBM (and
verified onsite here), in WAS 3.0.2 fix pack 2, available at
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!