Full Disclosure mailing list archives
Re: Xeneo Webserver Vulnerability
From: "badpack3t" <badpack3t () security-protocols com>
Date: Wed, 23 Apr 2003 16:55:24 -0400 (EDT)
whatever.. i still find it kind of funny that you guys release this full blown advisory a day after the fact that i had already found the same damn bug. you guys just found a different way to overflow it. hehehe nice way to get your newbie security companies name out there. ;0) -badpack3t.
Reporting one DoS does not cover them all, sorry, would be nice though :-) The Xeneo webserver contains 3 different DoS vulnerabilities reported as below: ---- 1.) 04/11/2002 Tamer Sahin (iDefense) Details: Sending only a '%' character to the Xeneo webserver would make it crash. This issue has been fixed since version 2.1.5 Original Advisory: http://www.idefense.com/advisory/11.04.02b.txt ---- 2.) 21/04/2003 BadPack3t Details: Sending more than 4096 ?'s to the Xeneo webserver would make it crash. This issue was fixed in version 2.2.10 Original Advisory: http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html ---- 3.) 23/04/2003 Carsten Eiram (Secunia) Details: Sending '%A' would make the Xeneo webserver crash. Please note the character('A') after the '%'. This is the difference between the issue reported by Tamer Sahin in November 2002 and the new issue reported by Carsten Eiram in April 2003. This issue was fixed in version 2.2.10. Original Advisory: http://www.secunia.com/secunia_research/2003-5/advisory/ ---- Further details can also be found in the Changelog for the Xeneo webserver: http://www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1 We hope this helps to clarify things. Secunia is by no means trying to steal credit from anyone - CREDIT IS ALWAYS GIVEN WHERE CREDIT IS DUE! The issue reported by Secunia may be related to the issue reported by Tamer Sahin. However, it is still a new issue fixed on the 22nd of April and disclosed on the 23rd of April. Kind regards Jakob Balle, Secunia On Wed, 2003-04-23 at 19:37, Tamer Sahin wrote:Hi Folks, I contributed the vulnurability about Xeneo Webserver, mentioned below, to iDefense on 4th, November 2002. All rights on this vulnurability belongs to me and iDefense. Craps, http://lists.netsys.com/pipermail/full-disclosure/2003-April/009371.html http://lists.netsys.com/pipermail/full-disclosure/2003-April/009386.html My Advisories at iDefense, http://www.idefense.com/advisory/11.04.02b.txt Please, without searching well, do not publish these kind of advisories. Cheers, Tamer Sahin http://www.securityoffice.net_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Xeneo Webserver Vulnerability Tamer Sahin (Apr 23)
- Re: Xeneo Webserver Vulnerability Jakob Balle (Apr 23)
- Re: Xeneo Webserver Vulnerability badpack3t (Apr 23)
- <Possible follow-ups>
- Re: Xeneo Webserver Vulnerability badpack3t (Apr 23)
- pissed off cyn0n (Apr 24)
- Re: pissed off Valdis . Kletnieks (Apr 25)
- Re: pissed off Melvyn Sopacua (Apr 26)
- Re[2]: pissed off Tamer Sahin (Apr 26)
- Re: Re[2]: pissed off Knud Erik Højgaard (Apr 26)
- Re: Re[2]: pissed off Cedric Blancher (Apr 26)
- Re: Re[2]: pissed off Halil Demirezen (Apr 27)
- Re: Re[2]: pissed off badpack3t (Apr 26)
- Re: Re[2]: pissed off Halil Demirezen (Apr 27)
- pissed off cyn0n (Apr 24)
- Re: Xeneo Webserver Vulnerability Jakob Balle (Apr 23)