Vulnerability Development mailing list archives
Re: Denial of Service in Xitami webserver all versions...
From: simon () TRAGOIDIA FORCE9 CO UK (Simon)
Date: Tue, 4 Apr 2000 20:51:33 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VULN-DEV, how-do-you-do! I received a response from IMATIX after forwarding the posts from VULN-DEV re remotely crashing Xitami webserver by sending simple GET command. They immediately released 2.4d7 with fix. Also, they have said that they will now change default install behaviour of Xitami to not allow anon FTP logins. -- Slán anois, Síomón Breathnach Obiter dictum: Entia non sunt multiplicanda praeter necessitatem. *------------------------------>>><><<<------------------------------* How To Get In Touch v===v===v===v===v===v===v Send Email To: simon () infowizard co uk Fax & Voicemail: 01792 540900 (+44) Pretty Good Privacy v===v===v===v===v===v===v PGP: http://www.pgp.com Public Key: http://www.netbanger.com/pgp/pubkey.shtml Key Server: ldap://certserver.pgp.com Very Useful Links v===v===v===v===v===v===v The Bat!: http://www.ritlabs.com/the_bat/index.html Notetab: http://www.notetab.com *------------------------------>>><><<<------------------------------*
Anyone can remotely crash Xitami webserver by sending simple GET command. On remote side will be: Assertion Failed! Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745 All you need to do is just telnet to remote computer and execute GET<space><enter><enter> command. Also Xitami will crash if you'll execute POST<space><enter><enter> or HEAD<space><enter><enter> command. There is another DoS in Xitami. By default installation Xitami allows anonymous users on ftp. So connect to remote computer as anonymous user and execute cd con/con command. ----------------------------- romanv () citycat ruTried to bring it down from a remote account which failed, got std http error msg back. Version Xitami 2.4d1 on Winx, set up for this one on http 8080, without authorisation or ipmasks. Are you sure it ain't because you used a beta version? Or did you test some previous versions as well? Is it in the console or the std. version? Did you compile it yourself or did you get a precompiled version? Questions, questions... Cheers, Mitch.
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5i Comment: Privacy is freedom. Protect your freedom with PGP. iQA/AwUBOOpHxctub/5cfolmEQIpxgCg6s4xL6BxSHg6d1bwacBlFTb7dqAAn3rQ QH+S43I03/WV3n5rHJVcgbcO =eyM3 -----END PGP SIGNATURE-----
Current thread:
- Re: Denial of Service in Xitami webserver all versions... Simon (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... Marc (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... GraffiX (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... Simon (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... GraffiX (Apr 05)
- Re: Denial of Service in Xitami webserver all versions... Simon (Apr 04)