Note: This is an archival copy of Security Sun Alert 201241 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000926.1.
Date of Workaround Release
Date of Resolved Release
A local or remote unprivileged user may be able execute arbitrary code on systems running the iPlanet Web Server or the Sun ONE Web server with the privileges of the user who utilizes the iPlanet Admin Console to examine that web server's log files. The user utilizing the iPlanet Admin Console may be privileged, such as the super user (uid 0).
This issue is described in the NGSEC Security Advisory at: http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt.
This issue can occur in the following releases:
Notes: For applicable architectures and OS versions see: http://wwws.sun.com/software/download/download/5292.html.
Sun ONE Web Server 6.0 Service Packs 2 and greater are not vulnerable to this issue.
There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access.
If you are not able to upgrade (see Resolution below), the following is provided as a workaround.
Edit the files "index.lst" and "nescore.spm" in the following directories:
<SERVER ROOT>/bin/https/admin/html <SERVER ROOT>/bin/https/httpadmin/html
Add a semicolon ";" (comments out the line) at the beginning of the following lines:
--Option:viewacc,View Access Log --Option:viewerr,View Error Log
This disables the Admin server from displaying the log files.
This issue is addressed in the following releases:
The above upgrade is available at: http://wwws.sun.com/software/download/products/WebSvr4.1sp12.html.
For more information see: http://wwws.sun.com/software/download/inter_ecom.html#webs.
Note: iPlanet Web Server 4.0, all Service Packs, require an upgrade to one of the above releases.
iPlanet Web Server 6.0 Enterprise Edition
This solution has no attachment