[prev in list] [next in list] [prev in thread] [next in thread]
List: nfr-users
Subject: [nfr-users] WWW v20 -- Rapid Response for MS03-051
From: "M. Dodge Mumford" <dodge () nfr ! net>
Date: 2003-11-12 22:01:53
[Download RAW message or body]
NFR RRT has updated the WWW package to version 20 to address the first part
of MS03-051, the buffer overflow in Microsoft FrontPage Server Extensions. This
update does not address the Denial of Service in the SmartHTML Interpreter
because sufficiently detailed information about the vulnerability is not
yet available. We are monitoring the situation closely and will make
updates as needed.
Please note that this is a Rapid Response update to the WWW package, and
that no other issues are addressed by this update. If you experience
problems, please inform support immediately.
TECHNICAL INFORMATION
FrontPage Server Extensions fail to perform appropriate bounds checking on
client-supplied data in HTTP requests where data is supplied using the
chunked transfer-encoding scheme defined in RFC 2616. Successful
exploitation may result in the attacker running their own code on the server
with the same privileges as that of the web server.
Normally buffer overflows are indicated by large amounts of data, however
buffer overflows may be very short. It is not yet publicly known where
exactly this buffer overflow is performed, only that it must be exploited
in this manner. While requesting this file in this manner is perfectly
legal, it is highly unusual and probably indicates an attempt to exploit
the vulnerability.
--
Dodge
[Attachment #3 (application/pgp-signature)]
_______________________________________________
nfr-users mailing list
nfr-users@nfr.com
http://list.nfr.com/mailman/listinfo/nfr-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic