Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does the Windows AUX bug affect Web servers also?

From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 10 Jul 2003 14:31:04 -0400 (EDT)


Is it possible to also crash a Web server hosted on a Windows box using
a URL something like:

    http://www.somebody.com/aux


A few servers have been affected by this over the years, including:

  "T. Hauck Jana Webserver"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0558

  "BEA Systems Weblogic Server 6.1"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0106

  "Cyberstop Web Server for Windows 0.1"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0200

  "Jigsaw 2.2.1 on Windows"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1052

  "Small HTTP server 2.03"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0493

Problems with device names such as AUX and others appear fairly
frequently.  The impact is not always a crash, e.g. you can have
source code disclosure, and I saw one issue where a device name played
a role in a directory traversal bug.

These issues probably also affect CGI programs.

FTP servers have also been affected.  Basically, anything that handles
pathnames in a Windows environment is a potential issue.

If I recall correctly, Howard and LeBlanc's "Writing Secure Code" book
discusses this problem.

- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: