Re: ISS X-Force: Buffer Overflow in Netscape Enterprise and FastTrack Web Servers

[jason.axley () ATTWS COM (Jason Axley)]

Is it just me, or does the lack of real information in
this advisory and the apparent disconnect between the
description of the vulnerability and the patch annoy
anyone else?

Is there someone who can give details on what this
attack is?  It sounds, from the fix, like it is the SSL
handshake bug that was already mentioned on the list on
July 6, 1999.  However, the description in the advisory
makes one wonder if it isn't something else since they
say it is an _HTTP_ GET overflow and don't mention
anything about it affecting SSL handshaking or only
affecting SSL-enabled servers.  Additionally, the SSL
handshake bug affects 3.5.1 as well as 3.6sp2 (see
http://help.netscape.com/business/filelib.html) so if
this advisory is really about the SSL bug, it is in
error by only mentioning 3.6sp2.

I have the flex check for ISS Internet Scanner, so I can
perhaps investigate what it is up to in order to provide
more information.  I've used the flex check to scan some
non-SSL 3.6sp2 servers and it didn't alarm so maybe it
is an SSL prob.

In the meantime:  Hey ISS and Netscape:  release some
details!  Release an updated, correct advisory, at
least.

-Jason

AT&T Wireless Services
IT Security
UNIX Security Operations Specialist