lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1051127979.1117.7.camel@c-e57270d5.018-49-6370682.cust.bredbandsbolaget.se>
From: jb at secunia.com (Jakob Balle)
Subject: Xeneo Webserver Vulnerability

First of all A DoS can be caused in several ways.
Reporting one DoS does not cover them all, sorry,
would be nice though :-)

The Xeneo webserver contains 3 different DoS
vulnerabilities reported as below:

----

1.)
04/11/2002
Tamer Sahin (iDefense)

Details:
Sending only a '%' character to the Xeneo webserver
would make it crash. 

This issue has been fixed since version 2.1.5

Original Advisory:
http://www.idefense.com/advisory/11.04.02b.txt

----

2.)
21/04/2003
BadPack3t

Details:
Sending more than 4096 ?'s to the Xeneo webserver
would make it crash. 

This issue was fixed in version 2.2.10

Original Advisory:
http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html

----

3.)
23/04/2003
Carsten Eiram (Secunia)

Details:
Sending '%A' would make the Xeneo webserver crash.
Please note the character('A') after the '%'. This is
the difference between the issue reported by Tamer
Sahin in November 2002 and the new issue reported by
Carsten Eiram in April 2003.

This issue was fixed in version 2.2.10.

Original Advisory:
http://www.secunia.com/secunia_research/2003-5/advisory/

----

Further details can also be found in the Changelog for
the Xeneo webserver:
http://www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1

We hope this helps to clarify things.

Secunia is by no means trying to steal credit from
anyone - CREDIT IS ALWAYS GIVEN WHERE CREDIT IS DUE!
The issue reported by Secunia may be related to the
issue reported by Tamer Sahin. However, it is still a
new issue fixed on the 22nd of April and disclosed on
the 23rd of April.


Kind regards

Jakob Balle, Secunia



On Wed, 2003-04-23 at 19:37, Tamer Sahin wrote:
> Hi Folks,
> 
> I contributed the vulnurability about Xeneo Webserver, mentioned below, to iDefense on 4th, November 2002. All rights on this vulnurability belongs to me and iDefense.
> 
> Craps,
> http://lists.netsys.com/pipermail/full-disclosure/2003-April/009371.html
> http://lists.netsys.com/pipermail/full-disclosure/2003-April/009386.html
> 
> My Advisories at iDefense,
> http://www.idefense.com/advisory/11.04.02b.txt
> 
> Please, without searching well, do not publish these kind of advisories.
> 
> Cheers,
> 
> Tamer Sahin
> http://www.securityoffice.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ