Vulnerability Development mailing list archives
Re: Denial of Service in Xitami webserver all versions up to v2.5b1 for Windows.
From: webmad () MAIL RU (Roman)
Date: Tue, 4 Apr 2000 22:04:04 +0200
Anyone can remotely crash Xitami webserver by sending simple GET command. On remote side will be: Assertion Failed! Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745 All you need to do is just telnet to remote computer and execute GET<space><enter><enter> command. Also Xitami will crash if you'll execute POST<space><enter><enter> or HEAD<space><enter><enter> command. There is another DoS in Xitami. By default installation Xitami allows anonymous users on ftp. So connect to remote computer as anonymous user and execute cd con/con command. ----------------------------- romanv () citycat ru
M> Tried to bring it down from a remote account which failed, got std http M> error msg back. M> Version Xitami 2.4d1 on Winx, set up for this one on http 8080, without M> authorisation or ipmasks. To crash Xitami you need to telnet to http port and type GET<leave space here> then press Enter twice(i.e. "GET \n\n"). M> Are you sure it ain't because you used a beta version? M> Or did you test some previous versions as well? Yes I have tested this vulnerability on Xitami v2.5b1 and on previous one. Xitami v2.5b1 the latest version I've found. M> Is it in the console or the std. version? M> Did you compile it yourself or did you get a precompiled version? I got precompiled version from xitami website. ----------------------------- romanv () citycat ru
Current thread:
- Re: Denial of Service in Xitami webserver all versions up to v2.5b1 for Windows. Roman (Apr 04)