Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Xitami Web Server Vendors:   iMatix
Xitami Web Server Can Be Crashed By Remote Users Opening Multiple Concurrent Sessions
SecurityTracker Alert ID:  1004971
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 7 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.5b5
Description:   A denial of service vulnerability was reported in the Xitami web server. The server does not properly handle large numbers of connections, creating denial of service conditions.

It is reported that the error occurs after the server receives a large number of concurrent sessions, resulting in the following observed behavior:

1) Service Unavailable error
2) 500 Internal error response
3) Blank document is returned
4) Ignores session request
5) Server crashes

The crash is reportedly a Microsoft Visual C++ Runtime Error that is triggered in XIWIN32.EXE. It may be due to the server failing to "clean up" resources associated with connections that are broken or have been closed. According to the report, the bug may be related to the handling of Keep-Alive connections and the failure to close them.

Impact:   A remote user can cause the server to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Resource error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98)

Message History:   None.

 Source Message Contents

Subject:  Xitami Connection Flood Server Termination Vulnerability

Affected Systems
The vulnerability was discovered on Xitami 2.5b5 for Win32,
so this may (not) be a Win32-specific issue.  No data has been
collected on other versions, so such a determination would be
purely speculation and therefore not helpful to those running
potentially vulnerable systems.

The Problem
Xitami 2.5b5 is the latest (Beta) version of iMatix' flagship
web server.  It appears to be handling large numbers of
connections in an erratic manner.

The end result of this problem is a denial of service issue
resulting from a runtime error in the server process.  The
vulnerability appears to occur after the server exceeds
its maximum number of concurrent sessions:

1) Service Unavailable error
2) 500 Internal error response
3) Blank document is returned
4) Ignores session request
5) Server crashes (DOH!)

When the fifth stage of service issues is reached Xitami
dies due to a Microsoft Visual C++ Runtime Error, an
abnormal program termination inside XIWIN32.EXE
has occurred.  The message is *not* followed by any
Win32 exception dialog.

The Workaround
The solution for Beta users is to simply stop limiting the
maximum number of HTTP sessions at once, although
this may cause performance issues.

Simply making quick moves around the vulnerable site
can result in successful exploitation of the vulnerability.
It should be noted that browser-based exploitation will
require extensive use of the back button when reaching
the more extensive stages of service failure.

Other Notes
Unlike some server crashes, the service process will
*not* recover from the crash caused by the attack.

Successful exploitation of this vulnerability will be 
extensively logged, as it would require multiple sessions,
and in the event of a browser-based attack, would
require multiple requests per session on a Keep-Alive

The term "attack" is used rather loosely, as a quick
series of jumps, especially by a large number of users,
could bring the system down without malicious intent,
although the very high level of speed necessary for
this attack is not likely to occur unless widely-spread
between several users.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC