lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200307101831.h6AIV4Tm014316@linus.mitre.org>
From: coley at mitre.org (Steven M. Christey)
Subject: Re: Does the Windows AUX bug affect Web servers also?

> Is it possible to also crash a Web server hosted on a Windows box using
> a URL something like:
>
>     http://www.somebody.com/aux

A few servers have been affected by this over the years, including:

  "T. Hauck Jana Webserver"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0558

  "BEA Systems Weblogic Server 6.1"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0106

  "Cyberstop Web Server for Windows 0.1"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0200

  "Jigsaw 2.2.1 on Windows"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1052

  "Small HTTP server 2.03"
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0493

Problems with device names such as AUX and others appear fairly
frequently.  The impact is not always a crash, e.g. you can have
source code disclosure, and I saw one issue where a device name played
a role in a directory traversal bug.

These issues probably also affect CGI programs.

FTP servers have also been affected.  Basically, anything that handles
pathnames in a Windows environment is a potential issue.

If I recall correctly, Howard and LeBlanc's "Writing Secure Code" book
discusses this problem.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ