Bugtraq mailing list archives
Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications
From: Peter Gründl <prg () IMAGE DK>
Date: Wed, 24 Jan 2001 20:53:51 +0100
3) The note about Service Pack levels for iPlanet Enterprise 4.1 in Peter Gruendl's "Netscape Enterprise Server Dot-Dot DoS" was somewhat confusing. The iPlanet URL he refers to correctly states that the latest supported iPlanet Web servers[0] are 4.0sp6 and 4.1sp5. 4.1sp6 has not been released or officially announced by iPlanet.
To clarify on the note. I was told, by Netscape, that they could not reproduce the flaw that was found in their webserver, and that I would be better off installing Service Pack 6 for IWS4.1 (aka. Netscape Enterprise Server 4.1). They later admitted, that their testing was solely performed on Solaris and that two different people wrote the letter to me. Obviously one of them doesn't know which patch levels their own products are at. Later again, I got another email stating that they couldn't reproduce on Windows NT 4.0, SP6a. The reason I released it, even if the vendor has not been able to reproduce, is that we CAN reproduce this. It works on whatever Windows NT-based computer we install it on. We have tried Windows NT 4.0, SP6a, Windows 2000 Professional, Windows 2000 Server with or without SP1. They all crash in exactly the same way. The performed installation is a "next-next-finish" of the web server downloaded from the following location: http://www.iplanet.com/downloads/download/2011.html (that being the Windows NT version). To spell it out: Iplanet (Sun + Netscape) has not admitted that their product is flawed in any way, and as such they have not released any fix for the problem. Thus, it is very unlikely that the issue will be fixed in SP6 (when that is released). On the other hand, older versions does not appear to suffer from the same defect, so maybe they will (unknowningly) code their way out of it again?
[0] All Netscape-branded Web server products, including Netscape Enterprise
3.6,
have officially passed their end-of-life dates and are no longer
supported. Where on earth did you get that? Try looking at the HTTP Server header for www.netscape.com :) Just because they label the web server Iplanet Web Server on the outside of the shiny box, doesn't mean the guts got any shinier. It's still NES and I can promise you V4.1SP5 is a supported version. Peter Gründl Defcom Security
Current thread:
- iPlanet FastTrack/Enterprise 4.1 DoS clarifications Peter W (Jan 24)
- <Possible follow-ups>
- Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications Calvin Tait (Jan 24)
- Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications Scott Howard (Jan 26)
- Re: iPlanet FastTrack/Enterprise 4.1 DoS clarifications Peter Gründl (Jan 24)