COMMAND

    Netscape Enterprise and FastTrack Authentication

SYSTEMS AFFECTED

    Netscape Enterprise and FastTrack

PROBLEM

    Following is based on ISS Security Advisory.  Netscape  Enterprise
    Server and Netscape FastTrack Server are widely used Internet  web
    servers.  ISS X-Force  has discovered a vulnerability  in Netscape
    Enterprise Server and Netscape FastTrack Server, as well as in the
    Administration  Server  supplied  with  both.   There  is a buffer
    overflow in  the HTTP  Basic Authentication  that can  be used  to
    execute code on the machine as SYSTEM in Windows NT or as root  or
    nobody   in   Unix,   without   requiring   authentication.    The
    Administration  Service  runs  as  root  in  Unix, the Application
    Server runs  as the  user 'nobody'  by default.   Enterprise 3.5.1
    through 3.6sp2  and FastTrack  3.01 were  found to  be vulnerable.
    Earlier versions may be vulnerable but were not tested by ISS.

    The buffer overflow  is present in  the HTTP Basic  Authentication
    portion of the server. When accessing a password protected portion
    of the Administration or Web  server, a username or password  that
    is longer than 508 characters will cause the server to crash  with
    an access violation error.   An attacker could utilize the  Base64
    encoded Authorization string to  execute arbitrary code as  SYSTEM
    on  Windows  NT,  or  as  root  on  Unix.  Attackers can use these
    privileges to gain full access to the server.

    Some more data.  Using LWP's "GET" as follows:

        $ GET -C `perl -e 'print "A"x1025'`:password http://hostname:port

    - Netscape FastTrack 3.0.1 on NT: crashes
    - Admin Server 3.5 on NT: crashes
    - Netscape FastTrack 3.0.2 on Irix 6.x: no problem
    - Admin Sever 3.5 on Irix 6.x: no problem
    - Netscape Enterprise 3.6sp2 on Irix 6.x: no problem

SOLUTION

    Affected users  should upgrade  their systems  immediately.   This
    vulnerability affects systems running  Administration Server  with
    password protected areas  that rely on  Basic Authentication.   If
    you run any  of the affected  servers on any  platform, upgrade to
    iPlanet Web Server 4.0sp2 at:

        http://www.iplanet.com/downloads/testdrive/detail_161_243.html

    Netscape has stated that FastTrack will not be patched.   Although
    Netscape released service  pack 3 for  Enterprise Server 3.6  that
    fixes  the  vulnerability  in  the  web server, the Administration
    Server remains  vulnerable.   If you  are unable  to upgrade,  ISS
    X-Force recommends that you  block the Administration Server  port
    at the firewall to prevent outside attacks.