Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Denial of Service in Xitami webserver all versions...

From: simon () TRAGOIDIA FORCE9 CO UK (Simon)
Date: Tue, 4 Apr 2000 20:51:33 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VULN-DEV, how-do-you-do!

       I received a response from IMATIX after forwarding the posts from
       VULN-DEV re remotely crashing Xitami webserver by sending simple GET
       command. They immediately released 2.4d7 with fix. Also, they have
       said that they will now change default install behaviour of Xitami to
       not allow anon FTP logins.

      --

      Slán anois,

      Síomón Breathnach

         Obiter dictum: Entia non sunt multiplicanda praeter necessitatem.

      *------------------------------>>><><<<------------------------------*

                                How To Get In Touch
                             v===v===v===v===v===v===v
                       Send Email To: simon () infowizard co uk
                        Fax & Voicemail: 01792 540900 (+44)

                                Pretty Good Privacy
                             v===v===v===v===v===v===v
                              PGP: http://www.pgp.com
              Public Key: http://www.netbanger.com/pgp/pubkey.shtml
                       Key Server: ldap://certserver.pgp.com

                                 Very Useful Links
                             v===v===v===v===v===v===v
               The Bat!: http://www.ritlabs.com/the_bat/index.html
                          Notetab: http://www.notetab.com

      *------------------------------>>><><<<------------------------------*


Anyone can remotely crash Xitami webserver by sending simple GET
command. On remote side will be:

Assertion Failed!
Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745

All you need to do is just telnet to remote computer and execute
GET<space><enter><enter> command. Also Xitami will crash if you'll execute
POST<space><enter><enter> or HEAD<space><enter><enter> command.


There is another DoS in Xitami. By default installation Xitami
allows anonymous users on ftp. So connect to remote computer as
anonymous user and execute cd con/con command.
-----------------------------

romanv () citycat ru


Tried to bring it down from a remote account which failed, got std http
error msg back.
Version Xitami 2.4d1 on Winx, set up for this one on http 8080, without
authorisation or ipmasks.

Are you sure it ain't because you used a beta version?
Or did you test some previous versions as well?
Is it in the console or the std. version?
Did you compile it yourself or did you get a precompiled version?


Questions, questions...

Cheers, Mitch.


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
Comment: Privacy is freedom. Protect your freedom with PGP.

iQA/AwUBOOpHxctub/5cfolmEQIpxgCg6s4xL6BxSHg6d1bwacBlFTb7dqAAn3rQ
QH+S43I03/WV3n5rHJVcgbcO
=eyM3
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: