Vulnerability Development mailing list archives
Re: Denial of Service in Xitami webserver all versions...
From: graffix () GRAFFIX TZO COM (GraffiX)
Date: Tue, 4 Apr 2000 17:02:03 -0700
Ummm....actually, they released the fix for BOTH platforms (2.4d7 and 2.5b3) yesterday, March 3rd, based on the lengthy discussions in the Xitami mailing list we've been having for days now regarding these DoS bugs. Below is the release info: Dear Fellow Xitami Users, Xitami 2.4d7 and 2.5b3 were released today, fixing the DoS bugs reported here and elsewhere. The latest 2.5b3 beta also corrects a number of big issues in the previous betas, and is being used heavily on a number of sites, with apparent success. The latest GSLgen (GSLgen/2.0) is provided in the beta package. Your old GSL/1.3 scripts *won't* work without changes - the language has evolved... Best to all, - Pieter Hintjens iMatix Corporation At 08:51 PM 4/4/00 +0100, you wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VULN-DEV, how-do-you-do! I received a response from IMATIX after forwarding the posts from VULN-DEV re remotely crashing Xitami webserver by sending simple GET command. They immediately released 2.4d7 with fix. Also, they have said that they will now change default install behaviour of Xitami to not allow anon FTP logins. -- Slán anois, Síomón Breathnach Obiter dictum: Entia non sunt multiplicanda praeter necessitatem. *------------------------------>>><><<<------------------------------* How To Get In Touch v===v===v===v===v===v===v Send Email To: simon () infowizard co uk Fax & Voicemail: 01792 540900 (+44) Pretty Good Privacy v===v===v===v===v===v===v PGP: http://www.pgp.com Public Key: http://www.netbanger.com/pgp/pubkey.shtml Key Server: ldap://certserver.pgp.com Very Useful Links v===v===v===v===v===v===v The Bat!: http://www.ritlabs.com/the_bat/index.html Notetab: http://www.notetab.com *------------------------------>>><><<<------------------------------*Anyone can remotely crash Xitami webserver by sending simple GET command. On remote side will be: Assertion Failed! Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745 All you need to do is just telnet to remote computer and execute GET<space><enter><enter> command. Also Xitami will crash if you'll execute POST<space><enter><enter> or HEAD<space><enter><enter> command. There is another DoS in Xitami. By default installation Xitami allows anonymous users on ftp. So connect to remote computer as anonymous user and execute cd con/con command. ----------------------------- romanv () citycat ruTried to bring it down from a remote account which failed, got std http error msg back. Version Xitami 2.4d1 on Winx, set up for this one on http 8080, without authorisation or ipmasks. Are you sure it ain't because you used a beta version? Or did you test some previous versions as well? Is it in the console or the std. version? Did you compile it yourself or did you get a precompiled version? Questions, questions... Cheers, Mitch.-----BEGIN PGP SIGNATURE----- Version: PGP 6.5i Comment: Privacy is freedom. Protect your freedom with PGP. iQA/AwUBOOpHxctub/5cfolmEQIpxgCg6s4xL6BxSHg6d1bwacBlFTb7dqAAn3rQ QH+S43I03/WV3n5rHJVcgbcO =eyM3 -----END PGP SIGNATURE-----
-=* graffix () graffix tzo com *=- "There are 100,000 total marijuana smokers in the US, and most are Negroes, Hispanics, Filipinos and entertainers. Their Satanic music, jazz and swing, result from marijuana usage. This marijuana causes white women to seek sexual relations with Negroes, entertainers and any others." - Harry Anslinger, testifying to Congress, 1937
Current thread:
- Re: Denial of Service in Xitami webserver all versions... Simon (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... Marc (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... GraffiX (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... Simon (Apr 04)
- Re: Denial of Service in Xitami webserver all versions... GraffiX (Apr 05)
- Re: Denial of Service in Xitami webserver all versions... Simon (Apr 04)