Sun iPlanet Web Server Remote File Viewing Vulnerability Vendor: Sun Microsystems Product: iPlanet Web Server 6.0 SP2 iPlanet Web Server 4.1 SP9 Netscape Enterprise Server 3.6 Platforms: Windows 2000 Windows NT Other platforms not tested Category: Information Leak Author: turambar386@routergod.com Date: July 9 2002 Description ----------- Sun's iPlanet Web Server has a flaw in its search function that allows remote viewing of any files on the server. Details ------- The search engine that is included with iPlanet and previous versions uses HTML pattern files to get and format search parameters from users. By using the NS-query-pat command, a user can specify their own query pattern file rather than using the default one provided by the web site. Unfortunately, the search engine does no validity checking on the query pattern file thus requested. If, for instance, you telnet to port 80 on an iWS web server and issue the command: GET /search?NS-query-pat=..\..\..\..\..\boot.ini iPlanet will happily provide you with the contents of the boot.ini file. This overrides all access control lists. This has been tested on all version of NES and iWS on Windows NT and 2000. Versions on other platforms may not be affected. Workaround ---------- Turn off the search engine (it is off by default on 6.0) until a fix is provided. I have written a Snort alert for this, but in light of David Litchfield's buffer overflow advisory, I suggest turning off the search engine altogether. Still, here is the snort sig: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC iPlanet Search Engine File Viewing"; flags:A+; uricontent:"NS-query-pat"; classtype:web-application-attack; sid:1000999; rev:1;) You will need to put this near the top of your web-misc.rules file otherwise an attack may be identified simply as a web traversal attempt. Vendor Contact Information -------------------------- I originally wrote to Sun about this on May 22 2002 and was advised that it would be fixed in the next Service Pack. David Litchfield says that 6.0 SP3/4.1 SP10 is out, but I don't yet see it on their Product Tracker site. I was going to wait to release this information until I had the Service Pack, feeling secure with my Snort sig but decided to go ahead since it pales in comparison to David's buffer overflow advisory. Credit ------ This bug was originally brought to my attention by a scan from the good folks at Qualys Corporation. Unfortunately, Qualys did not provide an actually advisory on it and I could find any such beast elsewhere. Hence I decided to research the problem and write my own.
