| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Jul 2004 22:46:56 +0200 From: "Peter Kruse" <pkr@...s.dk> To: <bugtraq@...urityfocus.com> Subject: Denial of Service vulnerability in several Lexmark HTTP servers Denial of Service vulnerability in several Lexmark HTTP servers. Several Lexmark network printers is shipped with a build-in HTTP server for administrative tasks. The webserver software is vulnerable to a Denial of Service attack that will force the webserver to restart and/or stop taking requests. The vulnerability has been discovered during a security audit and was positively identified in model T522 (others models are affected by this issue as well). As far as we know many Dell network printers also uses this webserver software and are therefore likely to be vulnerable. The Server does not handle long HOST arguments in the HTTP Header correctly and therefore causes the server to crash. We recommend that Lexmark ASAP updates their firmware in order to fix this issue. However, we have not been able to get in contact with Lexmark. They have choosen not to reply on our e-mails. This issue can be reproduced by sending a large buffer (1024 characters) in the HTTP host request, eg. GET / HTTP/1.0\r\n /Host:AAAAAA[1024]. Kind regards Peter Kruse http://www.csis.dk
Powered by blists - more mailing lists