On Thu, 7 Feb 2002, Reckhard, Tobias wrote: > > they *do* upgrade it quickly as issues arise. Lotus falls just behind > > Netscape/IPlanet in "poor coding without a security clue" in my book. > > What NS/IPlanet products does your critique apply to, Paul? I've heard very > little on the security of, e.g. the LDAP, Web and, I believe, FTP servers. > I'd be grateful for any insights you may have to offer.
Predominantly their Web servers, which are pretty much "keep on the latest release or be vulnerable" things sort of like BIND4/BIND8, IIS or Sendmail in my book. It never ceases to amaze me how many sites are running vulnerable versions of their Web servers and who can't immediately upgrade due to incompatibilities in applications or LDAP servers and the latest versions. If we go by the SecurityFocus database and weed out the obvious browser issues, we're left with[1]: * 2002-01-09: Netscape Enterprise Server Web Publisher DoS Vulnerability * 2002-01-09: Netscape Enterprise Web Server Brute Force Authentication Attacks Vulnerability * 2000-10-26: iPlanet Webserver .shtml Buffer Overflow Vulnerability * 2001-08-09: Netscape Enterprise Server Internal IP Address/Internal Network Name Vulnerability * 2001-07-16: iPlanet Directory Server Buffer Overflow Vulnerabilities * 2001-07-16: iPlanet Directory Server Format String Vulnerabilities * 2001-05-15: iPlanet Web Publisher Remote Buffer Overflow Vulnerability * 2001-04-18: iPlanet Calendar Server Plaintext Admin Password Vulnerability * 2001-04-13: Netscape SmartDownload 1.3 Buffer Overflow Vulnerability * 2001-02-26: Netscape Collabra Memory Leak DoS Vulnerability * 2001-02-26: Netscape Collabra Malformed Data DoS Vulnerability * 2001-02-02: Netscape Web Publisher Arbitrary Remote File Disclosure Vulnerability * 2001-01-25: Netscape Enterprise Server Web Publishing DoS Vulnerability * 2001-01-24: Netscape Enterprise Server 'Index' Disclosure Vulnerability * 2001-01-22: Netscape FastTrak Cache Module DoS Vulnerability * 2001-01-22: Netscape Enterprise Server DoS Vulnerability * 2000-10-31: Netscape Servers Suite Heap Buffer Overflow Vulnerability * 2000-10-31: Netscape Servers Suite Denial of Service Vulnerability * 2000-10-25: iPlanet CMS/Netscape Directory Server Directory Traversal Vulnerability * 2000-10-25: iPlanet CMS/Netscape Directory Server Plaintext Administrative Password Vulnerability * 2000-10-11: Netscape Messaging Server Email Address Verification Vulnerability * 2000-10-10: Netscape iPlanet iCal 'xhost -' Vulnerability * 2000-10-10: Netscape iPlanet iCal 'iplncal.sh' Permissions Vulnerability * 2000-10-10: Netscape iPlanet iCal 'csstart' Vulnerability * 2000-09-26: Netscape Messaging Server DoS Vulnerability * 2000-07-11: Netscape SuiteSpot Read/Writeable Admin Password Vulnerability * 2000-06-26: Netscape Enterprise Server for Netware Buffer Overflow Vulnerability * 2000-06-21: Netscape Professional Services FTP Server Vulnerability * 2000-04-06: Netscape PublishingXPert Local File Reading Vulnerability * 2000-03-17: Netscape Enterprise Server Directory Indexing Vulnerability * 2000-03-11: Netscape Enterprise Server Web Publishing Vulnerability * 1999-12-31: Netscape FastTrack Server GET Buffer Overflow Vulnerability * 1999-12-08: Netscape Enterprise Server for NetWare Admin Buffer Overflow Vulnerability * 1999-12-01: Netscape Enterprise & FastTrack Authentication Buffer Overflow Vulnerability * 1999-10-29: Netscape Messaging Server RCPT TO DoS Vulnerability * 1999-09-13: Netscape Enterprise Accept Buffer Overflow Vulnerability * 1999-08-25: Netscape Enterprise Server GET Request Vulnerability * 1999-07-30: Netscape Enterpise Server JHTML View Source Vulnerability * 1999-07-06: Netscape Enterprise Server SSL Buffer Overflow DoS Vulnerability * 1999-06-07: Netscape Fasttrack Root Directory Listing Vulnerability * 1998-07-17: imapd Buffer Overflow Vulnerability * 1998-06-26: Multiple Vendor PKCS#1 Vulnerability * 1998-05-19: Netscape Web Server %20 Filename Vulnerability * 1998-03-28: Netscape 'document.referrer' User Information Disclosure Vulnerability * 1998-02-06: NT Webserver Long File Name Access Protection Vulnerability * 1996-12-10: Multiple Vendor nph-test-cgi Vulnerability * 1996-12-04: Multiple Vendor INN remote Vulnerability * 1996-03-01: Multiple Vendor .BAT/.CMD Remote Command Execution Vulnerability Paul [1] Netscape/IPlanet's market share has declined over the timeperiod indicated, so I'm not entirely convinced that the decrease isn't just due to not as many people shooting at it rather than any subsequent improvement in code quality or lack of new features. To be fair, I haven't seen the code. In fact I haven't even touched a Netscape server in quite a few years. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
