[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1051127979.1117.7.camel@c-e57270d5.018-49-6370682.cust.bredbandsbolaget.se>
From: jb at secunia.com (Jakob Balle)
Subject: Xeneo Webserver Vulnerability
First of all A DoS can be caused in several ways.
Reporting one DoS does not cover them all, sorry,
would be nice though :-)
The Xeneo webserver contains 3 different DoS
vulnerabilities reported as below:
----
1.)
04/11/2002
Tamer Sahin (iDefense)
Details:
Sending only a '%' character to the Xeneo webserver
would make it crash.
This issue has been fixed since version 2.1.5
Original Advisory:
http://www.idefense.com/advisory/11.04.02b.txt
----
2.)
21/04/2003
BadPack3t
Details:
Sending more than 4096 ?'s to the Xeneo webserver
would make it crash.
This issue was fixed in version 2.2.10
Original Advisory:
http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html
----
3.)
23/04/2003
Carsten Eiram (Secunia)
Details:
Sending '%A' would make the Xeneo webserver crash.
Please note the character('A') after the '%'. This is
the difference between the issue reported by Tamer
Sahin in November 2002 and the new issue reported by
Carsten Eiram in April 2003.
This issue was fixed in version 2.2.10.
Original Advisory:
http://www.secunia.com/secunia_research/2003-5/advisory/
----
Further details can also be found in the Changelog for
the Xeneo webserver:
http://www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1
We hope this helps to clarify things.
Secunia is by no means trying to steal credit from
anyone - CREDIT IS ALWAYS GIVEN WHERE CREDIT IS DUE!
The issue reported by Secunia may be related to the
issue reported by Tamer Sahin. However, it is still a
new issue fixed on the 22nd of April and disclosed on
the 23rd of April.
Kind regards
Jakob Balle, Secunia
On Wed, 2003-04-23 at 19:37, Tamer Sahin wrote:
> Hi Folks,
>
> I contributed the vulnurability about Xeneo Webserver, mentioned below, to iDefense on 4th, November 2002. All rights on this vulnurability belongs to me and iDefense.
>
> Craps,
> http://lists.netsys.com/pipermail/full-disclosure/2003-April/009371.html
> http://lists.netsys.com/pipermail/full-disclosure/2003-April/009386.html
>
> My Advisories at iDefense,
> http://www.idefense.com/advisory/11.04.02b.txt
>
> Please, without searching well, do not publish these kind of advisories.
>
> Cheers,
>
> Tamer Sahin
> http://www.securityoffice.net
Powered by blists - more mailing lists