Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Weld Pond (weldATSTAKE.COM)
Date: Fri Apr 20 2001 - 09:39:22 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Security Advisory Notification
Advisory Name: iPlanet Web Server Enterprise Edition 4.0, 4.1
Response Header Overflow
Release Date: 04/16/2001
Application: iPlanet Web Server Enterprise Edition 4.0, 4.1
Platform: Solaris (2.6/7/8)
Windows (NT 4.0/2000)
Severity: An attacker can retrieve user requests, cookies, log
data, user names, passwords, etc.
Author: Kevin Dunn (kdunnatstake.com)
Chris Eng (cengatstake.com)
Vendor Status: vendor has service pack and NSAPI module
CVE Candidate: CAN-2001-0327
The iPlanet Web Server Enterprise Edition is a commercial web server
used by organizations to serve up static web content, as well as deliver
dynamic, personalized content retrieved from an application server or
database backend. It is one of the three most popular web servers found
on the Internet today, and a large number of secure, transactional
application sites use the iPlanet Web Server as their front-end web
The iPlanet Web Server has an implementation flaw that allows any remote
user to retrieve data from the memory allocation pools on the running
server. The retrieved data usually consists of fragments from previous
HTTP requests and responses, including session identifiers, cookies,
form submissions, usernames and passwords, etc.
In the example of a home banking application deployed by a
financial institution, this would grant an attacker access to any
user accounts that logged in within some reasonable time before the
attack was launched. Supplied with a valid session identifier, the
application has no way of differentiating between the legitimate user
and the attacker before executing transfers, bill payments, equity
trades, etc. If persistent authentication credentials are used, in
the form of a "remember my password" or "autologin" feature, these
credentials could be used at any point in the future to access the
This is a buffer overflow vulnerability in which improper
handling of response header values permits access to unauthorized
data. This vulnerability can be used by an attacker to retrieve
authentication and authorization credentials or to hijack existing
user sessions. The vulnerability can be exploited without crashing
the server and may occur within an SSL tunnel, making it extremely
difficult to detect. Requests can also be routed through anonymizing
proxies making it difficult to trace the request's origin.
Netscape Enterprise Server 3.6x does not appear to be vulnerable.
Under certain conditions, this vulnerability may also be used as a
denial of service attack.
iPlanet has acknowledged that the above described problem exists and
that it affects its iPlanet Web Server 4.x product line. iPlanet has
committed to addressing this vulnerability by issuing a fix on April 16
to be made available in two formats simultaneously: an upgrade,
iWS 4.1 SP7 and an NSAPI module that will shield the earlier versions
of the server from the problem. These fixes, which will wholly mitigate
the risk posed by this vulnerability, are available at:
with implementation instructions and information on which fix is most
appropriate for which cases.
** The advisory contains additional information. We encourage those
** effected by this issue to read the advisory.
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.
Copyright 2001 stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
-----END PGP SIGNATURE-----