At 06:47 PM 12/1/99 -0800, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >ISS Security Advisory >December 1, 1999 > >Buffer Overflow in Netscape Enterprise and FastTrack Authentication >Procedure > >Synopsis: > >Netscape Enterprise Server and Netscape FastTrack Server are widely used >Internet web servers. Internet Security Systems (ISS) X-Force has discovered >a vulnerability in Netscape Enterprise Server and Netscape FastTrack >Server, as well as in the Administration Server supplied with both. There >is a buffer overflow in the HTTP Basic Authentication that can be used to >execute code on the machine as SYSTEM in Windows NT or as root or nobody >in Unix, without requiring authentication. The Administration Service runs >as root in Unix, the Application Server runs as the user 'nobody' by >default. > >Affected Versions: > >This vulnerability affects all supported platforms of Enterprise and >FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack 3.01 >were found to be vulnerable. Earlier versions may be vulnerable but were not >tested by ISS X-Force. Does anyone know if this problem is fixed in 3.6sp3? The release notes for sp3 include the following fixes: 359884. Buffer overflow on large requests causes Security problems. 363755. Buffer overflow in the HTTP Basic authentication. That second one certainly sounds very similar, but does anyone know for sure? -- Keith Piepho kapat_private Technical Services (330) 972-6130 The University of Akron
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:23 PDT