Nice try lamers. I found this vulnerability and published it on April 21. Try reading your mail lists before sending out advisories. Links: http://www.security-protocols.com/article.php?sid=1480&mode=thread&order=0 http://lists.netsys.com/pipermail/full-disclosure/2003-April/009347.html --------------------------- badpack3t www.security-protocols.com --------------------------- > ====================================================================== > > Secunia Research 23/04/2003 > > - Xeneo Web Server URL Encoding Denial of Service - > > ====================================================================== > Receive Secunia Security Advisories for free: > http://www.secunia.com/secunia_security_advisories/ > > ====================================================================== > Table of Contents > 1....................................................Affected Software > 2.............................................................Severity > 3.....................................Vendor's Description of Software > 4.........................................Description of Vulnerability > 5.............................................................Solution > 6...........................................................Time Table > 7..............................................................Credits > 8........................................................About Secunia > 9.........................................................Verification > > ====================================================================== > 1) Affected Software > > Xeneo Web Server 2.2.9 and prior. > > ====================================================================== > 2) Severity > > Rating: Moderately critical > Impact: Denial of Service > Where: From Remote > > ====================================================================== > 3) Vendor's Description of Software > > "Xeneo Web Server is designed to deliver high performance and > reliability. It can be easily extended and customized to host > everything from a personal web site to advanced web applications that > use ASP, PHP, ColdFusion, Perl, CGI and ISAPI." > > "Key Xeneo Web Server features include: multiple domain support, > integrated Windows authentication, scripting interface, enhanced > filter support, ISAPI, CGI, ASP, SSL, intelligent file caching and > more." > > Vendor: > http://www.northernsolutions.com > > ====================================================================== > 4) Description of Vulnerability > > A vulnerability in Xeneo Web Server can be exploited by malicious > people to cause a DoS (Denial of Service) on the web service. > > The vulnerability is caused due to an error in the handling of > requests including a malformed URL encoding representation of a > character. By sending a request like the following, "xeneo.exe" will > crash with a runtime error. > > Example: > http://[victim]/%A > > The web service needs to be restarted manually before functionality is > restored. > > ====================================================================== > 5) Solution > > The vendor quickly responded by releasing version 2.2.10. > > http://www.northernsolutions.com/index.php?view=product&sec=download&id=1 > > > ====================================================================== > 6) Time Table > > 22/04/2003 - Vulnerability discovered. > 22/04/2003 - Vendor notified. > 23/04/2003 - Vendor response. > 23/04/2003 - Public disclosure. > > ====================================================================== > 7) Credits > > Discovered by badpack3t, www.security-protocols.com. > > ====================================================================== > 8) About Secunia > > Secunia collects, validates, assesses and writes advisories regarding > all the latest software vulnerabilities disclosed to the public. > These advisories are gathered in a publicly available database at the > Secunia website: > > http://www.secunia.com/ > > Secunia offers services to our customers enabling them to receive all > relevant vulnerability information to their specific system > configuration. > > Secunia offers a FREE mailing list called Secunia Security Advisories: > > http://www.secunia.com/secunia_security_advisories/ > > ====================================================================== > 9) Verification > > Please verify this advisory by visiting the Secunia website: > http://www.secunia.com/secunia_research/2003-5/ > > ====================================================================== > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Apr 23 2003 - 09:54:52 PDT