| VID |
22182 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Sun ONE Application server contains a buffer overflow vulnerability in the NSAPI Connector Module. The module is an NSAPI (Netscape Application Programming Interface) plugin that integrates the Sun ONE Web Server (formerly iPlanet Enterprise Server) with the Application Server. This Connector Module (NSAPI) uses a static buffer in the handling of the incoming request URL. If a remote attacker sends an URL request with a overly long string after the application service prefix in the form of "/[AppServerPrefix]/[long buffer]", the sensitive locations in memory will be overwritten. It can allow a remote attacker to overflow a buffer and potentially execute in arbitrary code on the server.
* References:
http://www.atstake.com/research/advisories/2003/a031303-1.txt
* Platforms Affected:
Sun ONE Application Server 6.0
Sun ONE Application Server 6.5
Microsoft Windows Any version |
| Recommendation |
For Sun ONE Application server 6.5:
Apply the patch SP1 or later, available from the Sun web site, http://www.sun.com/software/download/products/3e3afb89.html
As a workaround, use or write an NASPI module suggested by @stake to inspect the length of HTTP request URLs:
=============================
NSAPI Data Validation Module:
=============================
Usage:
In [server-root]/[server-instance]/config/obj.conf:
...
Init fn="load-modules" shlib="[path to libs]/long.so"
funcs="bounds_check"
<Object name=default>
# Make sure this function is the first to be called
NameTrans fn=bounds_check maxlength=500
...
----- BEGIN -----
#include "nsapi.h"
static int max_req_len = 0;
NSAPI_PUBLIC int bounds_check(pblock *pb, Session *sn, Request *rq) {
char *temp;
max_req_len = atoi(pblock_findval("maxlength", pb));
temp = pblock_findval("uri", rq->reqpb);
if (temp != NULL) {
if (strlen(temp) > max_req_len) {
log_error(LOG_SECURITY, "bounds_check", sn, rq,
"Overly long URI header (%d bytes)...aborting.", strlen(temp));
protocol_status(sn, rq, 440, "Potential Attack Detected");
return REQ_ABORTED;
}
}
return REQ_NOACTION;
}
----- END ----- |
| Related URL |
CVE-2002-0387 (CVE) |
| Related URL |
7082 (SecurityFocus) |
| Related URL |
11529 (ISS) |
|
