From peter.grundl@DEFCOM.COM Tue Jan 23 00:10:17 2001 From: "Peter [iso-8859-1] Gründl" X-Sender: prg@astral.defcom.com To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 22 Jan 2001 13:28:37 +0100 Subject: [BUGTRAQ] def-2001-04: Netscape Enterprise Server Dot-DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-04 Netscape Enterprise Server Dot-DoS Author: Peter Gründl Release Date: 2001-01-22 ====================================================================== ------------------------=[Brief Description]=------------------------- The Netscape Enterprise Server 4.1, SP5 has a problem dealing with dotdot-URLs. The problem can result in the service crashing. ------------------------=[Affected Systems]=-------------------------- - Netscape Enterprise Server 4.1, SP5 for Windows NT 4.0 ----------------------=[Detailed Description]=------------------------ If a GET request is performed which includes at least 1344 x /../, the web service will crash. This goes for both the normal HTTP service and the admin service. The crash has to be performed twice, since NES will reestablish the service the first time it crashes. ---------------------------=[Workaround]=----------------------------- None known. We've only come across this bug on 4.1, SP5, but would not rule out the possibility of it existing in other versions. -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 7th of December, 2000. Vendor replied on the 22nd of January, 2001 and has been unable to reproduce the bug: "I've used their perl script to abuse an iWS4.1sp5 server. The server does not crash, politetly returns errors to the client, and logs errors. However, given the announcement on the Iplanet Web site regarding iWS stability I would recommend they upgrade to SP6, URL given below. http://www.iplanet.com/support/iws-alert/index.html" According to the URL supplied by Netscape, there is no SP6 for IWS4.1, so it is adviced that people try this out for themselves to determine if they are vulnerable. It was found on Windows NT 4.0, with SP6a. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================