COMMAND

    iPlanet

SYSTEMS AFFECTED

    iPlanet Web Server Enterprise Edition 4.0, 4.1

PROBLEM

    Following is based on  a @stake Security Advisory  Notification by
    Kevin  Dunn  and  Chris  Eng.   The  iPlanet Web Server Enterprise
    Edition is a commercial web server used by organizations to  serve
    up static web  content, as well  as deliver dynamic,  personalized
    content retrieved from an application server or database  backend.
    It is  one of  the three  most popular  web servers  found on  the
    Internet  today,  and  a  large  number  of  secure, transactional
    application sites use  the iPlanet Web  Server as their  front-end
    web server.

    The iPlanet Web Server has an implementation flaw that allows  any
    remote user to retrieve data  from the memory allocation pools  on
    the  running  server.   The  retrieved  data  usually  consists of
    fragments  from  previous  HTTP  requests and responses, including
    session  identifiers,  cookies,  form  submissions,  usernames and
    passwords, etc.

    In  the  example  of  a  home  banking  application  deployed by a
    financial institution, this would grant an attacker access to  any
    user accounts that  logged in within  some reasonable time  before
    the  attack  was   launched.   Supplied   with  a  valid   session
    identifier, the application has no way of differentiating  between
    the legitimate user and  the attacker before executing  transfers,
    bill payments, equity trades,  etc.  If persistent  authentication
    credentials are used, in the  form of a "remember my  password" or
    "autologin" feature, these credentials could be used at any  point
    in the future to access the user's account.

    This is a buffer overflow vulnerability in which improper handling
    of response  header values  permits access  to unauthorized  data.
    This  vulnerability  can  be  used  by  an  attacker  to  retrieve
    authentication  and   authorization  credentials   or  to   hijack
    existing  user  sessions.   The  vulnerability  can  be  exploited
    without crashing the  server and may  occur within an  SSL tunnel,
    making it  extremely difficult  to detect.   Requests can  also be
    routed through  anonymizing proxies  making it  difficult to trace
    the request's origin.

    Netscape Enterprise Server 3.6x does not appear to be vulnerable.

    Under certain conditions, this vulnerability may also be used as a
    denial of service attack.

SOLUTION

    iPlanet has acknowledged that  the above described problem  exists
    and  that  it  affects  its  iPlanet  Web Server 4.x product line.
    iPlanet has committed to addressing this vulnerability by  issuing
    a  fix  on  April  16  to   be  made  available  in  two   formats
    simultaneously: an upgrade, iWS 4.1  SP7 and an NSAPI module  that
    will shield the earlier versions  of the server from the  problem.
    These fixes,  which will  wholly mitigate  the risk  posed by this
    vulnerability, are available at:

        http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html

    with implementation instructions and  information on which fix  is
    most appropriate for which cases.