SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Xitami Web Server Vendors:   iMatix
Xitami Web Server GSL Templates Contain Unspecified Security Flaw
SecurityTracker Alert ID:  1004543
SecurityTracker URL:  http://securitytracker.com/id/1004543
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 15 2002
Impact:   Not specified

Version(s): 2.5 Beta
Description:   A vulnerability was reported in the Xitami web server. The nature of the vulnerability was not disclosed.

It is reported that there are multiple flaws in the GSL templates of Xitami 2.5 Beta. However, the author of the report has not disclosed the nature of the flaws pending vendor response.

The vendor has reportedly been notified.

Impact:   The impact was not specified.
Solution:   No solution was available at the time of this entry.

The author of the report indicates that users can set "use-error-script" in the "[Server]" section to "0" in the 'defaults.cfg' file. This will reportedly disable the vulnerable GSL script and secure your server. The author suggests that users who have not installed the Beta should wait until a fix is available.

Vendor URL:  www.xitami.com/ (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), OpenVMS, UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  ALERT: Xitami 2.5b5


I have notified iMatix via support@xitami.com of multiple
flaws in the GSL templates of Xitami 2.5 Beta.  The e-mail
was sent out today, so I will release technical details later
on, but I did want to release a workaround:

In defaults.cfg, users can set "use-error-script" in the "[Server]"
section to "0".  This will disable the vulnerable GSL script and
secure your server.  Users who have not installed the Beta 
should wait until a fix is available.

Xitami has no security contact, so I decided to publish this
workaround to avoid exploits of this bug.  In my message to
the company (iMatix) I told them that if no reply was received
in 7 days, I would publish full details.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC