At 06:47 PM 12/1/99 -0800, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>ISS Security Advisory
>December 1, 1999
>
>Buffer Overflow in Netscape Enterprise and FastTrack Authentication
>Procedure
>
>Synopsis:
>
>Netscape Enterprise Server and Netscape FastTrack Server are widely used
>Internet web servers. Internet Security Systems (ISS) X-Force has discovered
>a vulnerability in Netscape Enterprise Server and Netscape FastTrack
>Server, as well as in the Administration Server supplied with both. There
>is a buffer overflow in the HTTP Basic Authentication that can be used to
>execute code on the machine as SYSTEM in Windows NT or as root or nobody
>in Unix, without requiring authentication. The Administration Service runs
>as root in Unix, the Application Server runs as the user 'nobody' by
>default.
>
>Affected Versions:
>
>This vulnerability affects all supported platforms of Enterprise and
>FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack 3.01
>were found to be vulnerable. Earlier versions may be vulnerable but were not
>tested by ISS X-Force.
Does anyone know if this problem is fixed in 3.6sp3? The release notes for
sp3 include the following fixes:
359884. Buffer overflow on large requests causes Security problems.
363755. Buffer overflow in the HTTP Basic authentication.
That second one certainly sounds very similar, but does anyone know for sure?
--
Keith Piepho [EMAIL PROTECTED]
Technical Services (330) 972-6130
The University of Akron
