Information Security News mailing list archives
Security firm finds a hole in Sun One
From: InfoSec News <isn () c4i org>
Date: Mon, 17 Mar 2003 05:14:45 -0600 (CST)
http://www.nwfusion.com/news/2003/0314securfirm.html By David Legard IDG News Service 03/14/03 Security specialist @Stake says that a module that ships with Sun's Sun One Application Server has a flaw which could be exploited by outside attackers and which could give them control of the running Web server. The flaw is in the Connector Module, a Netscape Server Application Programming Interface (NSAPI) plug-in that integrates the Sun One Web Server with the Application Server. An overly long URI in an incoming HTTP request handled by the module could cause a stack buffer overflow, @Stake said in an advisory Thursday. The flaw affects Sun One Application Server 6.0 and Sun One Application Server 6.5. A patch is available for Version 6.5. No patch is available for Version 6.0, according to @Stake, but there are a number of workarounds. These include: * Writing an NSAPI module to inspect the length of HTTP request URIs. * Terminating the Secure Sockets Layer (SSL) session on a device before the Sun ONE Web server and installing an Intrusion Detection System sensor to monitor the clear-text traffic. * Terminating the SSL session on a reverse proxy that performs data validation on all HTTP request headers. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Security firm finds a hole in Sun One InfoSec News (Mar 17)