It's in the search engine on iPlanet. It used to be turned on by default but now users who want to allow search functionality have to turn it on. It's hard to say specifically how dangerous it is. It is a high risk vulnerability especially if the Web server has a high level of privilege. If so, an attacker could gain control of the entire system. I would say it's the worse iPlanet vulnerability this year. Categorizing the risk is harder. One would need to know how many iPlanet users have the search function turned on. I would think a lot of users would but I don't have statistics on that. Why do you look for vulnerabilities in software in the first place?
As a security consultant, I am often required to evaluate products for my customers. It is while taking a look at iPlanet that I found the vulnerability. I think I am the first person to discover it, but who knows. A black hat hacker may have discovered it and has been exploiting it for a while. I think it's imperative to announce such information to the public as soon as possible. We need to stay ahead of the black hats. It's a race essentially. So why are so many vulnerabilities found in Web servers? Are they buggier than other software?
I would not say they are any buggier than other software. Look at it this way. It's pretty hard to gain access to databases because of firewalls but all companies have a Web presence. Hence, the Web server is the first port of call for someone wishing to attack your systems. When an attacker can get a shell on the Web server, he is through the firewall. The attacker could access the database then. Your firewall has to allow traffic in through the Web server hence attackers tend to concentrate on Web servers as the way to get into most installations. Of course, attackers who really want access to a company's data would just get a job there. Do you think the vulnerability may tarnish the image of iPlanet?
There has been a lot of advice about shifting from Microsoft's IIS (Internet Information Server) to Apache or iPlanet. But I've seen as many buffer overrun vulnerabilities in Apache and iPlanet as I have with IIS. So how should a user decide which Web server to buy when considering security?
One should chose a Web server based on business conditions. I wouldn't recommend one over another. For example, if one wanted to run an e-commerce site then IIS may be a good choice because it comes with a lot of things included. It's virtually plug and play. If you want to serve just static html pages then Apache is a good choice. Who tends to choose iPlanet?
Typically companies that run Solaris chose iPlanet. The one thing you can say about them is they are definitely not a Microsoft shop. Other than that, they are a diverse group. What is the vulnerability in iPlanet?
It's a buffer overflow vulnerability. In essence, it's triggered when you stuff too much data into a memory buffer. This can allow a remote attacker to gain control of the system. Instead of returning a Web page, an attacker could run arbitrary code of their choice.
Three years ago, I would have said one would need to be fairly technically savvy to exploit the vulnerability. But today there has been so many papers on the Internet explaining how to exploit buffer overflows. All an attacker has to do is cut and paste some code to exploit one.