Note: This is an archival copy of Security Sun Alert 201241 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000926.1.
Article ID : 1000926.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities with Sun ONE Web Server 4.1SP11 and Earlier



Category
Security

Release Phase
Resolved

Bug Id
4783074, 4739017

Date of Workaround Release
12-DEC-2002

Date of Resolved Release
22-JAN-2003

Impact

A local or remote unprivileged user may be able execute arbitrary code on systems running the iPlanet Web Server or the Sun ONE Web server with the privileges of the user who utilizes the iPlanet Admin Console to examine that web server's log files. The user utilizing the iPlanet Admin Console may be privileged, such as the super user (uid 0).

This issue is described in the NGSEC Security Advisory at: http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt.


Contributing Factors

This issue can occur in the following releases:

  • Sun ONE / iPlanet Web Server 4.1 Service Pack 11 and earlier
  • Sun ONE / iPlanet Web Server 6.0 , Sun ONE Web Server 6.0 Service Pack 1
  • iPlanet Web Server 4.0, all Service Packs

Notes: For applicable architectures and OS versions see: http://wwws.sun.com/software/download/download/5292.html.

Sun ONE Web Server 6.0 Service Packs 2 and greater are not vulnerable to this issue.


Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access.


Workaround

If you are not able to upgrade (see Resolution below), the following is provided as a workaround.

Edit the files "index.lst" and "nescore.spm" in the following directories:

	<SERVER ROOT>/bin/https/admin/html
	<SERVER ROOT>/bin/https/httpadmin/html

Add a semicolon ";" (comments out the line) at the beginning of the following lines:

	--Option:viewacc,View Access Log
	--Option:viewerr,View Error Log

This disables the Admin server from displaying the log files.



Resolution

This issue is addressed in the following releases:

  • iPlanet Web Server, Enterprise Edition 4.1 Service Pack 12
  • Sun ONE/iPlanet Web Server 6.0, Sun ONE Web Server 6.0 Service Pack 2 or later

The above upgrade is available at: http://wwws.sun.com/software/download/products/WebSvr4.1sp12.html.

For more information see: http://wwws.sun.com/software/download/inter_ecom.html#webs.

Note: iPlanet Web Server 4.0, all Service Packs, require an upgrade to one of the above releases.



Modification History
Date: 07-JAN-2003
  • Updated Contributing Factors and Relief/Workaround sections

Date: 22-JAN-2003
  • State Resolved (and Closed)
  • Updated Resolution section

Date: 14-FEB-2003
  • modified Contributing Factors and Relief/Workaround



Product
iPlanet Web Server 6.0 Enterprise Edition





























Attachments
This solution has no attachment