Full Disclosure mailing list archives
Re: Does the Windows AUX bug affect Web servers also?
From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 10 Jul 2003 14:31:04 -0400 (EDT)
Is it possible to also crash a Web server hosted on a Windows box using a URL something like: http://www.somebody.com/aux
A few servers have been affected by this over the years, including: "T. Hauck Jana Webserver" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0558 "BEA Systems Weblogic Server 6.1" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0106 "Cyberstop Web Server for Windows 0.1" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0200 "Jigsaw 2.2.1 on Windows" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1052 "Small HTTP server 2.03" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0493 Problems with device names such as AUX and others appear fairly frequently. The impact is not always a crash, e.g. you can have source code disclosure, and I saw one issue where a device name played a role in a directory traversal bug. These issues probably also affect CGI programs. FTP servers have also been affected. Basically, anything that handles pathnames in a Windows environment is a potential issue. If I recall correctly, Howard and LeBlanc's "Writing Secure Code" book discusses this problem. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Does the Windows AUX bug affect Web servers also? Michael Bemmerl (Jul 09)
- <Possible follow-ups>
- Re: Does the Windows AUX bug affect Web servers also? Steven M. Christey (Jul 10)