Software Engineering Institute

Requests made to web servers are routinely logged by the web server to a log file, even if these requests are invalid or malicious in some way. Normally, this presents no security problems, and in fact allows administrators to record possible attacks against their system. However, in iPlanet Enterprise Server and Netscape Enterprise server versions prior to 4.1. SP12, these malicious log entries are not correctly sanitized before being viewed through the browser-based administration client. This allows a remote attacker to embed malicious <SCRIPT> tags in the URL of requests, which may be later executed by the administrator when reviewing the logs.

When the malicious script embedded in the log files is viewed through the administration client, the administrator has already authenticated to the web server, and has additional privileges. In particular, by redirecting the administrator to other pages in the administration client, the attacker can perform certain administration activities including starting or stopping the web server.

iPlanet and Netscape servers with versions greater than 4.1 SP12 (including 6.x) are not vulnerable to this problem. Netscape web server versions prior to the iPlanet alliance are vulnerable. The problem is reported to have existed in some versions of 6.x prior to SP2.

A remote attacker can execute arbitrary script as the administrator of the server by embedding <SCRIPT> tags in URL requests that are subsequently viewed in the administration client. Because the administrator has authenticated to the server via the administration client at the time the malicious script is executed, the malicious script can take administration actions on the server, including starting or stopping the server. Attackers may also be able to perform other server administration actions.

Apply a Patch

System administrators are encouraged to apply service pack 12 which corrects this vulnerability.