COMMAND

    WebSphere

SYSTEMS AFFECTED

    WebSphere

PROBLEM

    Rude Yak found following.  He had the opportunity to work with IBM
    WebSphere application server for a few months now and, in the
    course of playing around with some buffer overrun testing, a
    potential issue came up.

    WebSphere uses the HTTP Host:  header to decide which WAS  Virtual
    Host will service  a particular request.   Based on this  feature,
    Rude decided to see what would  happen if he sent huge amounts  of
    data in the Host: request header.  He found the following:

        GET /servletsnoop HTTP/1.0
        Host: xxxxxxxxxxxxxxxxxxxxxxxx(1092+ characters)

    resulted in the following IBMHTTPD log entry:

        [Fri May 26 12:00:54 2000] [notice] child pid 11306 exit signal Segmentation Fault (11)

    It turned out that, depending on how many bytes were in the  Host:
    header, he could cause the  web server process to fault  on either
    signal 11 (SIGSEGV) or signal  10 (SIGBUS).  Here's the  IBM HTTPD
    banner:

        IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev

    The machine  on which  Rude tested  was a  Solaris 2.6 server with
    IBMHTTPD and WebSphere  3.0.2.  He  verified that the  problem was
    with  the  WAS  plugin  (and  not  IBMHTTPD) by commenting out all
    references  to  the  WAS  DSO  and  running  the  same  requests -
    Apache/IBMHTTPD handled them appropriately.   Although it did  not
    look like any core dumps were generated and IBMHTTPD did not  stop
    taking requests, the process that handled that particular  request
    did die rather unceremoniously and the potential for abuse  seemed
    significant enough that Rude brought it up with the vendor.

SOLUTION

    IBM was able  to reproduce the  issue and stated  that it was  not
    exploitable (used to gain access or elevated privilege on the  web
    server machine).   Nonetheless, the problem  has since been  fixed
    by IBM (and verified onsite),  in WAS 3.0.2 fix pack  2, available
    at

        http://www-4.ibm.com/software/webservers/appserv/efix.html