iPlanet, Netscape Enterprise Servers at Risk

A vulnerability has been detected in the Web Publisher feature in the
iPlanet Enterprise Web Server and Netscape Enterprise Server products that
exposes servers to brute force attacks.

In an alert issued Friday,
the CERT Coordination Center warned that the vulnerabilities could allow
attackers to make repeated authentication attempts if a server is configured
to use HTTP basic authentication.

While the risk is not greater than any other brute force attack using HTTP
basic authentication, this vulnerability may represent an unexpected avenue
of attack, the Center warned.

The bug, which was detected by ProCheckup, affects the iPlanet Web Server,
Enterprise Edition and Netscape Enterprise Server running on Windows
NT-based operating systems.

The security outfit found the Web Publisher feature in those servers
contains the wp-force-auth command that initiates an HTTP Basic
Authentication dialog. “An attacker may make repeated calls to wp-force-auth
in an attempt to guess valid user credentials. Well-known user credentials,
such as Administrator or Guest on Windows systems, or root or nobody on
Unix/Linux systems, may be subjected to brute-force attacks,” it added.

While the exposure created by the bug is no greater than that of any other
brute force attack, this vulnerability may represent an “unexpected avenue
of attack,” CERT warned.

Users of the vulnerable iPlanet server are urged to disable Web Publisher
and Directory Indexing on external servers. Or, additionally, a Netscape Server
Application Programming Interface (NSAPI) can be used to filter HTTP traffic
to detect and block HTTP requests containing the ?wp-force-auth command.

It’s not the first time bugs have been detected in Sun’s
iPlanet server product. Last month, Sun issued service packs to fix bugs
in the search function of its iPlanet Web server.

The buffer overrun vulnerabilit
ies, which detected by Next Generation Security Software (NGSS),
affected versions 4.1 and 6.0 of iPlanet. That flaw allowed remote attackers
to run arbitrary code if the search function within the Server is enabled.
It was described as a high-risk bug.