COMMAND

    Netscape

SYSTEMS AFFECTED

    Netscape Enterprise Server for NetWare

PROBLEM

    Peter Grundl found following.  Systems affected are:

        NetWare 5.1 prior to support pack 1
        NetWare 5.0 - all support packs

    Possibly  older  versions  of  NetWare  as  well (not tested).  By
    issuing  a  malformed  URL  it  is  possible  to cause a denial of
    service  situation  and/or  execute  arbitrary  code on the server
    with the privileges  of the web  server.  Here  is a snippet  from
    the log file to illustrate.

        Server XXXXXXXX halted XXXXX, XX March 2000 13.13.00
        Abend 8 on P00: Server-5.00d: Page Fault Processor Exception (Error code 00000000)

        Registers:
        CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
        EAX = 00000000 EBX = 61616161 ECX = 00000000 EDX = D6C175C0
        ESI = 61616161 EDI = 61616161 EBP = 61616161 ESP = D48F2F94
        EIP = 61616161 FLAGS = 00010286
        Address (61616161) exceeds valid memory limit
        EIP in UNKNOWN memory area
        Access Location: 0x61616161

        Running process: NS Web Thread 7 Process
        Created by: NetWare Application
        Thread Owned by NLM: NSHTTPD.NLM
        Stack pointer: D48F31B4
        OS Stack limit: D48E3480
        Scheduling priority: 67371008
        Wait state: 5050090 (Wait for interrupt)
        Stack: --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?
        --61616161 ?

    The immediate effect of the problem if abused as denial of service
    is that all  "executables" cease to  respond, that is,  /cgi-bin/,
    /lcgi/, /netbasic/, /perl/ etc., but  as you can see, the  EIP has
    been overwritten as well as the entire stack.

SOLUTION

    Novell has released a patch included in NetWare 5.1 Support Pack 1
    - Export(56 bit) URL:

        http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956734

    - Domestic(128 bit) URL:

        http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956733