A bug in several components of the Netscape Servers suite of products allows and attacker to successfully conduct a denial of service attack against the vulnerable systems. The Netscape Certificate Management System has also several server components that share the problem. The Netscape Directory Server 4.12 provides a Web to LDAP gateway, by means of the Directory Services Gateway (DSGW) web server. No authentication credentails are required from the client to access DSGW. The same service is installed and used as part of the Certificate Management System (Netscape/iPlanet CMS 4.2) and in this case it listens on a tcp port chosen during the installation process (24326/tcp in this example). A request with an URI as follows: http://server:24326/dsgw/bin/search?context=% will trigger an exception at 0x00403c62 and cause the server to hang and stop servicing requests until the exception generated is dismissed. The same problem is present in all the binaries in the...
A bug in several components of the Netscape Servers suite of products allows and attacker to successfully conduct a denial of service attack against the vulnerable systems. The Netscape Certificate Management System has also several server components that share the problem. The Netscape Directory Server 4.12 provides a Web to LDAP gateway, by means of the Directory Services Gateway (DSGW) web server. No authentication credentails are required from the client to access DSGW. The same service is installed and used as part of the Certificate Management System (Netscape/iPlanet CMS 4.2) and in this case it listens on a tcp port chosen during the installation process (24326/tcp in this example). A request with an URI as follows: http://server:24326/dsgw/bin/search?context=% will trigger an exception at 0x00403c62 and cause the server to hang and stop servicing requests until the exception generated is dismissed. The same problem is present in all the binaries in the Netscape\Server4\dsgw\bin directory (auth,csearch,dnedit,doauth, domodify,dosearch,edit,lang,newentry,search,unauth), except for the program 'tutor'. The '%' can be replaced by any string with a non-alphanumeric character in it, except for '_' and '-'. The string length doesn't matter in this specific problem, as shown in the example above, a string of just one non-alphanumeric character is enough. The problem lies in a function that uses a buffer that is allocated if the string after 'context=' is alphanumeric, but isn't if the string is non-alphanumeric.
