Full Disclosure mailing list archives
Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service
From: "badpack3t" <badpack3t () security-protocols com>
Date: Wed, 23 Apr 2003 12:31:03 -0400 (EDT)
Nice try lamers. I found this vulnerability and published it on April 21. Try reading your mail lists before sending out advisories. Links: http://www.security-protocols.com/article.php?sid=1480&mode=thread&order=0 http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html --------------------------- badpack3t www.security-protocols.com ---------------------------
======================================================================
Secunia Research 23/04/2003
- Xeneo Web Server URL Encoding Denial of Service -
======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/
======================================================================
Table of Contents
1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification
======================================================================
1) Affected Software
Xeneo Web Server 2.2.9 and prior.
======================================================================
2) Severity
Rating: Moderately critical
Impact: Denial of Service
Where: From Remote
======================================================================
3) Vendor's Description of Software
"Xeneo Web Server is designed to deliver high performance and
reliability. It can be easily extended and customized to host
everything from a personal web site to advanced web applications that
use ASP, PHP, ColdFusion, Perl, CGI and ISAPI."
"Key Xeneo Web Server features include: multiple domain support,
integrated Windows authentication, scripting interface, enhanced
filter support, ISAPI, CGI, ASP, SSL, intelligent file caching and
more."
Vendor:
http://www.northernsolutions.com
======================================================================
4) Description of Vulnerability
A vulnerability in Xeneo Web Server can be exploited by malicious
people to cause a DoS (Denial of Service) on the web service.
The vulnerability is caused due to an error in the handling of
requests including a malformed URL encoding representation of a
character. By sending a request like the following, "xeneo.exe" will
crash with a runtime error.
Example:
http://[victim]/%A
The web service needs to be restarted manually before functionality is
restored.
======================================================================
5) Solution
The vendor quickly responded by releasing version 2.2.10.
http://www.northernsolutions.com/index.php?view=product&sec=download&id=1
======================================================================
6) Time Table
22/04/2003 - Vulnerability discovered.
22/04/2003 - Vendor notified.
23/04/2003 - Vendor response.
23/04/2003 - Public disclosure.
======================================================================
7) Credits
Discovered by badpack3t, www.security-protocols.com.
======================================================================
8) About Secunia
Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public.
These advisories are gathered in a publicly available database at the
Secunia website:
http://www.secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://www.secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2003-5/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Secunia Research: Xeneo Web Server URL Encoding Denial of Service Carsten H. Eiram (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service badpack3t (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service GaLiaRePt (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service Hotmail (Apr 23)
- Re: Secunia Research: Xeneo Web Server URL Encoding Denial of Service badpack3t (Apr 23)