COMMAND
WebSphere
SYSTEMS AFFECTED
WebSphere
PROBLEM
Rude Yak found following. He had the opportunity to work with IBM
WebSphere application server for a few months now and, in the
course of playing around with some buffer overrun testing, a
potential issue came up.
WebSphere uses the HTTP Host: header to decide which WAS Virtual
Host will service a particular request. Based on this feature,
Rude decided to see what would happen if he sent huge amounts of
data in the Host: request header. He found the following:
GET /servletsnoop HTTP/1.0
Host: xxxxxxxxxxxxxxxxxxxxxxxx(1092+ characters)
resulted in the following IBMHTTPD log entry:
[Fri May 26 12:00:54 2000] [notice] child pid 11306 exit signal Segmentation Fault (11)
It turned out that, depending on how many bytes were in the Host:
header, he could cause the web server process to fault on either
signal 11 (SIGSEGV) or signal 10 (SIGBUS). Here's the IBM HTTPD
banner:
IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev
The machine on which Rude tested was a Solaris 2.6 server with
IBMHTTPD and WebSphere 3.0.2. He verified that the problem was
with the WAS plugin (and not IBMHTTPD) by commenting out all
references to the WAS DSO and running the same requests -
Apache/IBMHTTPD handled them appropriately. Although it did not
look like any core dumps were generated and IBMHTTPD did not stop
taking requests, the process that handled that particular request
did die rather unceremoniously and the potential for abuse seemed
significant enough that Rude brought it up with the vendor.
SOLUTION
IBM was able to reproduce the issue and stated that it was not
exploitable (used to gain access or elevated privilege on the web
server machine). Nonetheless, the problem has since been fixed
by IBM (and verified onsite), in WAS 3.0.2 fix pack 2, available
at
http://www-4.ibm.com/software/webservers/appserv/efix.html