Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Date: Tue Jul 09 2002 - 15:32:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Sun iPlanet Web Server Remote File Viewing Vulnerability

            Sun Microsystems
    iPlanet Web Server 6.0 SP2
                    iPlanet Web Server 4.1 SP9
                    Netscape Enterprise Server 3.6
    Windows 2000
                    Windows NT
                    Other platforms not tested
    Information Leak
            July 9 2002

    Sun's iPlanet Web Server has a flaw in its search
    function that allows remote viewing of any files on the

    The search engine that is included with iPlanet and
    previous versions uses HTML pattern files to get and
    format search parameters from users. By using the
    NS-query-pat command, a user can specify their own
    query pattern file rather than using the default one
    provided by the web site. Unfortunately, the search
    engine does no validity checking on the query pattern
    file thus requested. If, for instance, you telnet to
    port 80 on an iWS web server and issue the command:

    GET /search?NS-query-pat=..\..\..\..\..\boot.ini

    iPlanet will happily provide you with the contents of
    the boot.ini file. This overrides all access control

    This has been tested on all version of NES and iWS on
    Windows NT and 2000. Versions on other platforms may
    not be affected.

    Turn off the search engine (it is off by default on
    6.0) until a fix is provided.

    I have written a Snort alert for this, but in light of
    David Litchfield's buffer overflow advisory, I suggest
    turning off the search engine altogether. Still, here
    is the snort sig:

    alert tcp $EXTERNAL_NET any -> $HOME_NET 80
    (msg:"WEB-MISC iPlanet Search Engine File Viewing";
    flags:A+; uricontent:"NS-query-pat";
    classtype:web-application-attack; sid:1000999; rev:1;)

    You will need to put this near the top of your
    web-misc.rules file otherwise an attack may be
    identified simply as a web traversal attempt.

    Vendor Contact Information
    I originally wrote to Sun about this on May 22 2002 and
    was advised that it would be fixed in the next Service
    Pack. David Litchfield says that 6.0 SP3/4.1 SP10 is
    out, but I don't yet see it on their Product Tracker
    site. I was going to wait to release this information
    until I had the Service Pack, feeling secure with my
    Snort sig but decided to go ahead since it pales in
    comparison to David's buffer overflow advisory.

    This bug was originally brought to my attention by a
    scan from the good folks at Qualys Corporation.
    Unfortunately, Qualys did not provide an actually
    advisory on it and I could find any such beast
    elsewhere. Hence I decided to research the problem and
    write my own.