Note: This is an archival copy of Security Sun Alert 201241 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000926.1. |
Category Security Release Phase Resolved 4783074, 4739017 Date of Workaround Release 12-DEC-2002 Date of Resolved Release 22-JAN-2003 Impact A local or remote unprivileged user may be able execute arbitrary code on systems running the iPlanet Web Server or the Sun ONE Web server with the privileges of the user who utilizes the iPlanet Admin Console to examine that web server's log files. The user utilizing the iPlanet Admin Console may be privileged, such as the super user (uid 0). This issue is described in the NGSEC Security Advisory at: http://www.ngsec.com/docs/advisories/NGSEC-2002-4.txt.
Contributing Factors This issue can occur in the following releases:
Notes: For applicable architectures and OS versions see: http://wwws.sun.com/software/download/download/5292.html. Sun ONE Web Server 6.0 Service Packs 2 and greater are not vulnerable to this issue.
Symptoms There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access.
Workaround If you are not able to upgrade (see Resolution below), the following is provided as a workaround. Edit the files "index.lst" and "nescore.spm" in the following directories: <SERVER ROOT>/bin/https/admin/html <SERVER ROOT>/bin/https/httpadmin/html Add a semicolon ";" (comments out the line) at the beginning of the following lines: --Option:viewacc,View Access Log --Option:viewerr,View Error Log This disables the Admin server from displaying the log files. Resolution This issue is addressed in the following releases:
The above upgrade is available at: http://wwws.sun.com/software/download/products/WebSvr4.1sp12.html. For more information see: http://wwws.sun.com/software/download/inter_ecom.html#webs. Note: iPlanet Web Server 4.0, all Service Packs, require an upgrade to one of the above releases.
Modification History Date: 07-JAN-2003
Date: 22-JAN-2003
Date: 14-FEB-2003
Product iPlanet Web Server 6.0 Enterprise Edition Attachments This solution has no attachment |
|