Netware Vulnerability – Buffer Overflow in Netware Web Server PERL Handler

Vulnwatch: Buffer Overflow in Netware Web Server PERL Handler

Topic: Buffer Overflow in Netware Web Server PERL Handler
Platform : Netware 5.1 SP6, Netware 6 under certain conditions.
Application : NetWare Enterprise Web Server
Identifiers: CERT: VU# 185593, CVE: CAN-2003-0562
The Netware Enterprise Server does not perform proper bounds check on requests passed to the perl interpreter through the perl virtual directory. This results in a buffer overflow condition, when large requests are sent to the perl interpreter.

This advisory leads in two directions. First, who is still using Netware Enterprise Server (formerly Novonyx from Netscape) as their web platform? Not Novell, they are using Apache for their main website although and did recently switch platforms to Apache. If there are enterprises using Netware Enterprise web server they deserve the patching for this security issue. For me, the switching and recoding from Netscape made the product a sore subject, and Apache could not have come soon enough. Apache under Netware does have learning curve to the .conf files, but at least the learning curve is well documented. (Netware 6.5 is supposed to make the learning curve and administration easier through administering Apache through the directory and making the conf edir attributes.

Apache just recently also released a post SP3 patch (1.3.27 to 1.3.27), including some security issues as well. Just note the cautious warnings of Brad Nicholes first, which is to run a second instance of Apache for webservices and leave the first one for only administration of the server. It seems like prudent advice to me.


Comments are closed.