SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Xitami Web Server Vendors:   iMatix
(Vendor Provides Initial Response) Re: iMatix's Xitami Web Server Allows Remote Users to Crash the Web Server
SecurityTracker Alert ID:  1001350
SecurityTracker URL:  http://securitytracker.com/id/1001350
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 18 2001
Impact:   Denial of service via network
Vendor Confirmed:  Yes  
Version(s): 2.5d4, 2.4d7; possibly earlier versions
Description:   It is reported that iMatix's Xitami web server contains a vulnerability that allows remote users to crash the web server.

If a remote user requests a DOS device via an HTTP request, the server may crash. An example URL is: http://[targethost]/aux The author of the report notes that some computers crash after this request but others do not and instead provide no indication of error but may not work properly. If the server crashes (for Windows98/Me), the host must be rebooted.

The vendor responds that Xitami attempts to determine when a path component is reported as a device. However, for some reason this test is not detecting AUX as a device file under Win32.

The vendor is still investigating the issue and indicates that once they've finished determining the extent of the device files that aren't being caught by the existing tests, they plan to release a minor update to both Xitami 2.4 (release code), and Xitami 2.5 (beta test code).

In the interim, the vendor notes that some Xitami users have reported that defining an Xitami alias for "AUX" that points at some non-existant file avoids the issue, as the alias expansion is done before any files are opened.
Impact:   A remote user can cause the host to crash.
Solution:   The vendor confirms the issue and is investigating. In the interim, the vendor notes that some Xitami users have reported that defining an Xitami alias for "AUX" that points at some non-existant file avoids the issue, as the alias expansion is done before any files are opened.
Vendor URL:  www.imatix.com/html/xitami/index.htm (Links to External Site)
Cause:   Resource error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 18 2001 iMatix's Xitami Web Server Allows Remote Users to Crash the Web Server


 Source Message Contents
Date:  Wed, 18 Apr 2001 22:51:02 +1200
Subject:  Re: Advisory for Xitami 2.4d7, 2.5d4


In message <200104171346.GAA25118@user7.hushmail.com>, neme-dhc@HUSHMAIL.COM writes:
> [ Advisory for Xitami 2.4d7, 2.5d4                  ]
>[.....]
>Xitami is a webserver. It has a denial of service.
>[....]
>To test this vulnerability, try the following.
>send a request like this one:
>www.server.com/aux
>some computers crash after this request. [Others work a little while longer]
>[....]
>Not known at the moment, vendor was contacted and said
>they would look into it. Over a week has gone by and nothing.

Xitami tries to do the Right Thing (tm) in handling the "magical"
device filenames; under Win32 (95/98/ME/NT/2000), the function
system_devicename() in sflfile.c (Xitami is open source; source
available at http://www.xitami.com/) checks each path component with
QueryDosDevice(), and rejects paths containing a component that is
reported as a device.  On other MS-DOS like platforms Xitami compares
(case insensitively) against a list of "known problem" filenames (aux,
con, nul, prn, com[0-9], lpt[0-9]); this code is used for plain DOS,
and OS/2, but not for Win32.

For some reason this test seems to be not detecting AUX as a device
file under Win32; we are still investigating why, and if the issue is
confined to AUX or affects some other device names.  However most of the
problem device names appear to be caught by this QueryDosDevice() test.
Possibly AUX not being detected like this is affecting some of the other
programs that were also reported as having the same issue today.

Once we've finished determining the extent of the device files that
aren't being caught by the existing tests, we plan to release a minor
update to both Xitami 2.4 (release code), and Xitami 2.5 (beta test code)
with a work around for this issue, possibly including a hard coded check
for AUX that is always done, in addition to the Win32 QueryDosDevice()
where available.  This update will be announced on the Xitami user
mailing list, and announcement list when it is available.

Meanwhile some Xitami users have reported that defining an Xitami alias
for "AUX" that points at some non-existant file avoids the issue
reported (as the alias expansion is done before any files are opened);
we would suggest those looking for an immediate work around consider this.

We apologise for not getting back to you earlier; the developer who
received your message did start investigating the problem.

Ewen

--
Ewen McNeill, Technical Consultant, iMatix Corporation  www.imatix.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC