Bugtraq mailing list archives
Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure
From: kap () UAKRON EDU (Keith Piepho)
Date: Thu, 2 Dec 1999 10:39:38 -0500
At 06:47 PM 12/1/99 -0800, you wrote:
-----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory December 1, 1999 Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure Synopsis: Netscape Enterprise Server and Netscape FastTrack Server are widely used Internet web servers. Internet Security Systems (ISS) X-Force has discovered a vulnerability in Netscape Enterprise Server and Netscape FastTrack Server, as well as in the Administration Server supplied with both. There is a buffer overflow in the HTTP Basic Authentication that can be used to execute code on the machine as SYSTEM in Windows NT or as root or nobody in Unix, without requiring authentication. The Administration Service runs as root in Unix, the Application Server runs as the user 'nobody' by default. Affected Versions: This vulnerability affects all supported platforms of Enterprise and FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack 3.01 were found to be vulnerable. Earlier versions may be vulnerable but were not tested by ISS X-Force.
Does anyone know if this problem is fixed in 3.6sp3? The release notes for sp3 include the following fixes: 359884. Buffer overflow on large requests causes Security problems. 363755. Buffer overflow in the HTTP Basic authentication. That second one certainly sounds very similar, but does anyone know for sure? -- Keith Piepho kap () uakron edu Technical Services (330) 972-6130 The University of Akron
Current thread:
- ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure Aleph One (Dec 01)
- Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure Keith Piepho (Dec 02)
- Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise Keith R. Jarvis (Dec 02)
- <Possible follow-ups>
- Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure Doug Monroe (Dec 02)
- Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure Keith Piepho (Dec 02)