| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: coley at mitre.org (Steven M. Christey) Subject: Re: Does the Windows AUX bug affect Web servers also? > Is it possible to also crash a Web server hosted on a Windows box using > a URL something like: > > http://www.somebody.com/aux A few servers have been affected by this over the years, including: "T. Hauck Jana Webserver" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0558 "BEA Systems Weblogic Server 6.1" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0106 "Cyberstop Web Server for Windows 0.1" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0200 "Jigsaw 2.2.1 on Windows" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1052 "Small HTTP server 2.03" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0493 Problems with device names such as AUX and others appear fairly frequently. The impact is not always a crash, e.g. you can have source code disclosure, and I saw one issue where a device name played a role in a directory traversal bug. These issues probably also affect CGI programs. FTP servers have also been affected. Basically, anything that handles pathnames in a Windows environment is a potential issue. If I recall correctly, Howard and LeBlanc's "Writing Secure Code" book discusses this problem. - Steve
Powered by blists - more mailing lists