Bugtraq mailing list archives

Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications

From: Peter Gründl <prg () IMAGE DK>
Date: Wed, 24 Jan 2001 20:53:51 +0100

3) The note about Service Pack levels for iPlanet Enterprise 4.1 in
  Peter Gruendl's "Netscape Enterprise Server Dot-Dot DoS" was somewhat
  confusing. The iPlanet URL he refers to correctly states that the
  latest supported iPlanet Web servers[0] are 4.0sp6 and 4.1sp5. 4.1sp6
  has not been released or officially announced by iPlanet.


To clarify on the note. I was told, by Netscape, that they could not
reproduce the flaw that was found in their webserver, and that I would be
better off installing Service Pack 6 for IWS4.1 (aka. Netscape Enterprise
Server 4.1). They later admitted, that their testing was solely performed on
Solaris and that two different people wrote the letter to me. Obviously one
of them doesn't know which patch levels their own products are at. Later
again, I got another email stating that they couldn't reproduce on Windows
NT 4.0, SP6a. The reason I released it, even if the vendor has not been able
to reproduce, is that we CAN reproduce this. It works on whatever Windows
NT-based computer we install it on. We have tried Windows NT 4.0, SP6a,
Windows 2000 Professional, Windows 2000 Server with or without SP1. They all
crash in exactly the same way. The performed installation is a
"next-next-finish" of the web server downloaded from the following location:
http://www.iplanet.com/downloads/download/2011.html (that being the Windows
NT version). To spell it out: Iplanet (Sun + Netscape) has not admitted that
their product is flawed in any way, and as such they have not released any
fix for the problem. Thus, it is very unlikely that the issue will be fixed
in SP6 (when that is released). On the other hand, older versions does not
appear to suffer from the same defect, so maybe they will (unknowningly)
code their way out of it again?

[0] All Netscape-branded Web server products, including Netscape Enterprise

3.6,

   have officially passed their end-of-life dates and are no longer

supported.
Where on earth did you get that? Try looking at the HTTP Server header for
www.netscape.com :) Just because they label the web server Iplanet Web
Server on the outside of the shiny box, doesn't mean the guts got any
shinier. It's still NES and I can promise you V4.1SP5 is a supported
version.

Peter Gründl
Defcom Security

Current thread:

iPlanet FastTrack/Enterprise 4.1 DoS clarifications Peter W (Jan 24)
- <Possible follow-ups>
- Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications Calvin Tait (Jan 24)
  - Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications Scott Howard (Jan 26)
- Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications Peter Gründl (Jan 24)