----- Original Message ----- From: "Matthew Murphy" <mattmurphyat_private> To: "SecurITeam News" <newsat_private>; <bugtraqat_private> Sent: Monday, July 08, 2002 8:36 PM Subject: ALERT: Working Resources BadBlue #2 (DoS, Heap Overflow) > ALERT: Working Resources BadBlue #2 > Vendor Notified: July 8, 2002 > > Working Resources have been informed of a > pair of denial of service conditions in > the BadBlue PWS. > > The first vulnerability lies in the way a > GET request is handled. A specially > crafted GET request can crash the target > server. > > Also, a remotely exploitable overflow was > found in an ISAPI that ships with the > server. Exploitation of this vulnerability > will cause an access violation, and does > not seem to allow code execution. > > Additional technical details will be made > available as fixes are released for the > vulnerabilities in question. > > Alert Published July 8, 2002 > > "The reason the mainstream is thought > of as a stream is because it is > so shallow." > - Author Unknown > A month or so ago I decided to lose my win32 virginity so to speak and downloaded some software from downloads.com. One of the programs I downloaded was badblue and I seem to recall something about a /%2e%2e%2f/ directory traversal issue. At the time I didnt think about it too much, being heartbroken over not finding a decent debugger for windows and left the software alone. But after seeing posts on bugtraq about badblue I figured maybe vuln-dev would be intrested in this. Oh btw, what debuggers are you people using on windows?
This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 12:13:51 PDT