lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20362.66.192.0.71.1051131324.squirrel@web.axisamerica.com>
From: badpack3t at security-protocols.com (badpack3t)
Subject: Xeneo Webserver Vulnerability

whatever.. i still find it kind of funny that you guys release this full
blown advisory a day after the fact that i had already found the same damn
bug.  you guys just found a different way to overflow it.  hehehe nice way
to get your newbie security companies name out there. ;0)

-badpack3t.


> Reporting one DoS does not cover them all, sorry,
> would be nice though :-)
>
> The Xeneo webserver contains 3 different DoS
> vulnerabilities reported as below:
>
> ----
>
> 1.)
> 04/11/2002
> Tamer Sahin (iDefense)
>
> Details:
> Sending only a '%' character to the Xeneo webserver
> would make it crash.
>
> This issue has been fixed since version 2.1.5
>
> Original Advisory:
> http://www.idefense.com/advisory/11.04.02b.txt
>
> ----
>
> 2.)
> 21/04/2003
> BadPack3t
>
> Details:
> Sending more than 4096 ?'s to the Xeneo webserver
> would make it crash.
>
> This issue was fixed in version 2.2.10
>
> Original Advisory:
> http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html
>
> ----
>
> 3.)
> 23/04/2003
> Carsten Eiram (Secunia)
>
> Details:
> Sending '%A' would make the Xeneo webserver crash.
> Please note the character('A') after the '%'. This is
> the difference between the issue reported by Tamer
> Sahin in November 2002 and the new issue reported by
> Carsten Eiram in April 2003.
>
> This issue was fixed in version 2.2.10.
>
> Original Advisory:
> http://www.secunia.com/secunia_research/2003-5/advisory/
>
> ----
>
> Further details can also be found in the Changelog for
> the Xeneo webserver:
> http://www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1
>
> We hope this helps to clarify things.
>
> Secunia is by no means trying to steal credit from
> anyone - CREDIT IS ALWAYS GIVEN WHERE CREDIT IS DUE!
> The issue reported by Secunia may be related to the
> issue reported by Tamer Sahin. However, it is still a
> new issue fixed on the 22nd of April and disclosed on
> the 23rd of April.
>
>
> Kind regards
>
> Jakob Balle, Secunia
>
>
>
> On Wed, 2003-04-23 at 19:37, Tamer Sahin wrote:
>> Hi Folks,
>>
>> I contributed the vulnurability about Xeneo Webserver, mentioned
>> below, to iDefense on 4th, November 2002. All rights on this
>> vulnurability belongs to me and iDefense.
>>
>> Craps,
>> http://lists.netsys.com/pipermail/full-disclosure/2003-April/009371.html
>> http://lists.netsys.com/pipermail/full-disclosure/2003-April/009386.html
>>
>> My Advisories at iDefense,
>> http://www.idefense.com/advisory/11.04.02b.txt
>>
>> Please, without searching well, do not publish these kind of
>> advisories.
>>
>> Cheers,
>>
>> Tamer Sahin
>> http://www.securityoffice.net
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ