In message <200104171346.GAA25118at_private>, neme-dhcat_private writes: > [ Advisory for Xitami 2.4d7, 2.5d4 ] >[.....] >Xitami is a webserver. It has a denial of service. >[....] >To test this vulnerability, try the following. >send a request like this one: >www.server.com/aux >some computers crash after this request. [Others work a little while longer] >[....] >Not known at the moment, vendor was contacted and said >they would look into it. Over a week has gone by and nothing. Xitami tries to do the Right Thing (tm) in handling the "magical" device filenames; under Win32 (95/98/ME/NT/2000), the function system_devicename() in sflfile.c (Xitami is open source; source available at http://www.xitami.com/) checks each path component with QueryDosDevice(), and rejects paths containing a component that is reported as a device. On other MS-DOS like platforms Xitami compares (case insensitively) against a list of "known problem" filenames (aux, con, nul, prn, com[0-9], lpt[0-9]); this code is used for plain DOS, and OS/2, but not for Win32. For some reason this test seems to be not detecting AUX as a device file under Win32; we are still investigating why, and if the issue is confined to AUX or affects some other device names. However most of the problem device names appear to be caught by this QueryDosDevice() test. Possibly AUX not being detected like this is affecting some of the other programs that were also reported as having the same issue today. Once we've finished determining the extent of the device files that aren't being caught by the existing tests, we plan to release a minor update to both Xitami 2.4 (release code), and Xitami 2.5 (beta test code) with a work around for this issue, possibly including a hard coded check for AUX that is always done, in addition to the Win32 QueryDosDevice() where available. This update will be announced on the Xitami user mailing list, and announcement list when it is available. Meanwhile some Xitami users have reported that defining an Xitami alias for "AUX" that points at some non-existant file avoids the issue reported (as the alias expansion is done before any files are opened); we would suggest those looking for an immediate work around consider this. We apologise for not getting back to you earlier; the developer who received your message did start investigating the problem. Ewen -- Ewen McNeill, Technical Consultant, iMatix Corporation www.imatix.com
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 11:53:19 PDT