Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Important iPlanet Web Server 4.x Product Alert

3 views
Skip to first unread message

iWS Alerts

unread,
Apr 16, 2001, 7:32:12 PM4/16/01
to nes-man...@lists.veritel.com.br
Immediate Patch/Upgrade recommended

April 16, 2001

iPlanet has identified a security vulnerability in the iPlanet[tm] Web
Server Enterprise Edition 4.x products. This problem does not affect any
releases of the product prior to the 4.x versions; however it does
affect all iPlanet applications operating on the iPlanet Web Server
platform. A patch and implementation instructions to address it are now
available.

Without this patch/upgrade, the problem will persist and affect your
site's data security, potentially leading to a data corruption event.
iPlanet urges all users of the iPlanet Web Server to upgrade immediately
to prevent any potential data security risks.

Please see the Alert Page at:

http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html

for updates, links to iWS4.1sp7, and an NSAPI that can be applied to
current iWS4.x installs to eliminate the problem.

Thijs Post

unread,
Apr 19, 2001, 12:13:47 PM4/19/01
to
iWS Alerts wrote:
>
> Immediate Patch/Upgrade recommended
Hi,

There is a slight problem with the bounds_check fix.
Normal links are served OK, but the connection to the Application Server (iAS
6.0 SP2) is not functional anymore.

Invoking e.g. http://yourserver/NASApp/fortune/fortune yields a 404 message.
Error log entry:
[19/Apr/2001:17:29:36] warning (14620): for host x.x.x.x trying to GET
/NASApp/fortune/fortune, send-file reports: can't find /NASApp/fortune/fortune
(File not found)

By the way, is the vulnerability also there when only secure connections (via
https) are used ?

Thanks in advance, Thijs

Jay Burgess

unread,
Apr 19, 2001, 12:42:11 PM4/19/01
to
While I'm a WINNT user, maybe someone can confirm the behavior I'm
seeing with SP7. I've just confirmed that it's a new problem in SP7,
that didn't exist in SP6.

I've defined a servlet to start up with iWS in the "Startup Servlets"
field on the "Configure Global Server Attributes" page of the
"Servlets" tab. On SP6, I got messages like the following in my error
file when the server started:

[19/Apr/2001:11:32:16] info ( 324):
Internal Info: loading servlet MyServlet
[19/Apr/2001:11:32:16] info ( 324):
MyServlet: init

This is what I would expect. Now, with SP7, however, I don't see
these messages until I actually try to access the servlet! It appears
the servlet is not auto-loading.

A secondary problem, maybe related to the first, is that if I access
the servlet directly (e.g. "http://mymachine/servlet/MyServlet"),
things work fine. But if I try to access it via a <SERVLET> block on
an .SHTML page, I get an error about it not being able to load the
servlet, saying it can't find the GenericServlet class. Things are
hosed from that point forward.

Can anyone confirm either or both of the problems I'm seeing?

Thanks.

Jay

Jay Burgess

unread,
Apr 19, 2001, 3:22:58 PM4/19/01
to
>
>> A secondary problem, maybe related to the first, is that if I access
>> the servlet directly (e.g. "http://mymachine/servlet/MyServlet"),
>> things work fine. But if I try to access it via a <SERVLET> block on
>> an .SHTML page, I get an error about it not being able to load the
>> servlet, saying it can't find the GenericServlet class. Things are
>> hosed from that point forward.
>
>I just tried this. It works fine. I used this include:
>
><SERVLET Code=EchoQueryString codebase=/iWS/servlet></SERVLET>
>
>What's your SSI tag look like?
>
My tag looks like:

<servlet code="myservlet" name="MyServlet">...

MyServlet is the name I registered in iPlanet. This syntax definitely
worked in SP6, as I just uninstalled SP7, reinstalled SP6, and tested
it.

One other piece of information is that if I call the servlet directly
(via an URL) FIRST, then the servlet loads, and my .SHTML pages will
then will work. It's only the case where I call .SHTML page first
that I have problems.

Here are the lines from my error file:

[19/Apr/2001:14:13:23] info ( 250): Internal Info: loading servlet
MyServlet
[19/Apr/2001:14:13:23] warning ( 250): Unable to locate class:
myservlet (java.lang.ClassNotFoundException: myservlet)
[19/Apr/2001:14:13:23] warning ( 250): Internal error: Failed to get
GenericServlet. (uri=/myservlet,SCRIPT_NAME=/myservlet)

And as I also noted in my previous post, the "loading..." line doesn't
appear until I access the servlet. It used to appear on server
startup, which is what I expected, as I marked the servlet as a
"Startup Servlet".

Jay

Dmitry Smirnov

unread,
Apr 22, 2001, 4:42:45 PM4/22/01
to
After SP7 I've got the same problem that was fixed by SP6.
I'm out of number of sessions (1000) after 2 days of iPlanet Web
server work. Looks like sessions are not expired anymore.

Dmitri


0 new messages