def-2001-05: Netscape Fasttrack Server Caching DoS

[Peter Gründl <peter.grundl () DEFCOM COM>]

======================================================================
                  Defcom Labs Advisory def-2001-05

                Netscape Fasttrack Server Caching DoS

Author: Peter Gründl <peter.grundl () defcom com>
Release Date: 2001-01-22
======================================================================
------------------------=[Brief Description]=-------------------------
The Fasttrack 4.1 server has problems with its caching module. The
problem can result in all the server memory being consumed and thus
causing the server to perform very sluggishly.

------------------------=[Affected Systems]=--------------------------
- Netscape Fasttrack Server 4.1 for Windows NT 4.0

----------------------=[Detailed Description]=------------------------
The Fasttrack 4.1 server caches requests for non-existing URLs with
valid extensions (eg. .html). The cached ressources are not freed
again (at least not after half an hour), so a malicious user could
cause the web server to perform very sluggishly, simply by requesting
a lot of non-existing html-documents on the web server.

---------------------------=[Workaround]=-----------------------------
None known.

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 7th of
December, 2000. Vendor replied that the Fasttrack server is not meant
for production environments and as that, the issue will not be fixed.

======================================================================
            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com
======================================================================