lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <34024.66.192.0.71.1051115463.squirrel@web.axisamerica.com>
From: badpack3t at security-protocols.com (badpack3t)
Subject: Secunia Research: Xeneo Web Server URL Encoding Denial of Service

Nice try lamers.  I found this vulnerability and published it on April 21.
 Try reading your mail lists before sending out advisories.

Links:

http://www.security-protocols.com/article.php?sid=1480&mode=thread&order=0
http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html

---------------------------
badpack3t
www.security-protocols.com
---------------------------


> ======================================================================
>
>                        Secunia Research 23/04/2003
>
>           - Xeneo Web Server URL Encoding Denial of Service -
>
> ======================================================================
> Receive Secunia Security Advisories for free:
> http://www.secunia.com/secunia_security_advisories/
>
> ======================================================================
> Table of Contents
> 1....................................................Affected Software
> 2.............................................................Severity
> 3.....................................Vendor's Description of Software
> 4.........................................Description of Vulnerability
> 5.............................................................Solution
> 6...........................................................Time Table
> 7..............................................................Credits
> 8........................................................About Secunia
> 9.........................................................Verification
>
> ======================================================================
> 1) Affected Software
>
> Xeneo Web Server 2.2.9 and prior.
>
> ======================================================================
> 2) Severity
>
> Rating:  Moderately critical
> Impact:  Denial of Service
> Where:   From Remote
>
> ======================================================================
> 3) Vendor's Description of Software
>
> "Xeneo Web Server is designed to deliver high performance and
> reliability. It can be easily extended and customized to host
> everything from a personal web site to advanced web applications that
> use ASP, PHP, ColdFusion, Perl, CGI and ISAPI."
>
> "Key Xeneo Web Server features include: multiple domain support,
> integrated Windows authentication, scripting interface, enhanced
> filter support, ISAPI, CGI, ASP, SSL, intelligent file caching and
> more."
>
> Vendor:
> http://www.northernsolutions.com
>
> ======================================================================
> 4) Description of Vulnerability
>
> A vulnerability in Xeneo Web Server can be exploited by malicious
> people to cause a DoS (Denial of Service) on the web service.
>
> The vulnerability is caused due to an error in the handling of
> requests including a malformed URL encoding representation of a
> character. By sending a request like the following, "xeneo.exe" will
> crash with a runtime error.
>
> Example:
> http://[victim]/%A
>
> The web service needs to be restarted manually before functionality  is
> restored.
>
> ======================================================================
> 5) Solution
>
> The vendor quickly responded by releasing version 2.2.10.
>
> http://www.northernsolutions.com/index.php?view=product&sec=download&id=1
>
>
> ======================================================================
> 6) Time Table
>
> 22/04/2003 - Vulnerability discovered.
> 22/04/2003 - Vendor notified.
> 23/04/2003 - Vendor response.
> 23/04/2003 - Public disclosure.
>
> ======================================================================
> 7) Credits
>
> Discovered by badpack3t, www.security-protocols.com.
>
> ======================================================================
> 8) About Secunia
>
> Secunia collects, validates, assesses and writes advisories regarding
> all the latest software vulnerabilities disclosed to the public.
> These advisories are gathered in a publicly available database at the
> Secunia website:
>
> http://www.secunia.com/
>
> Secunia offers services to our customers enabling them to receive all
> relevant vulnerability information to their specific system
> configuration.
>
> Secunia offers a FREE mailing list called Secunia Security Advisories:
>
> http://www.secunia.com/secunia_security_advisories/
>
> ======================================================================
> 9) Verification
>
> Please verify this advisory by visiting the Secunia website:
> http://www.secunia.com/secunia_research/2003-5/
>
> ======================================================================
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ