Re: Denial of Service in Xitami webserver all versions up to v2.5b1 for Windows.

[webmad () MAIL RU (Roman)]

> > Anyone can remotely crash Xitami webserver by sending simple GET
> > command. On remote side will be:
> >
> > Assertion Failed!
> > Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745
> >
> > All you need to do is just telnet to remote computer and execute
> > GET<space><enter><enter> command. Also Xitami will crash if you'll execute
> > POST<space><enter><enter> or HEAD<space><enter><enter> command.
> >
> >
> > There is another DoS in Xitami. By default installation Xitami
> > allows anonymous users on ftp. So connect to remote computer as
> > anonymous user and execute cd con/con command.
> > -----------------------------
> >
> > romanv () citycat ru

M> Tried to bring it down from a remote account which failed, got std http
M> error msg back.
M> Version Xitami 2.4d1 on Winx, set up for this one on http 8080, without
M> authorisation or ipmasks.

To crash Xitami you need to telnet to http port and type GET<leave space here>
then press Enter twice(i.e. "GET \n\n").

M> Are you sure it ain't because you used a beta version?
M> Or did you test some previous versions as well?

Yes I have tested this vulnerability on Xitami v2.5b1 and on previous one.
Xitami v2.5b1 the latest version I've found.

M> Is it in the console or the std. version?
M> Did you compile it yourself or did you get a precompiled version?

I got precompiled version from xitami website.

-----------------------------
romanv () citycat ru