SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   TinyWeb Vendors:   RIT Research Labs
TinyWEB URL Processing Flaw Lets Remote Users Create Denial of Service Conditions
SecurityTracker Alert ID:  1007157
SecurityTracker URL:  http://securitytracker.com/id/1007157
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 2 2005
Original Entry Date:  Jul 10 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.9
Description:   Ziv Kamir reported a vulnerability in the TinyWEB web server. A remote user can cause the server to consume a large amount of CPU resources.

A remote user can reportedly issue a specially crafted HTTP GET request to cause the target server to consume a large amount of CPU resources:

/cgi-bin/.%00./dddd.html

The report indicates that the 'cgi-bin' directory must exists for this vulnerability to be triggered.

The vendor has reportedly been notified (on July 8, 2003).

Impact:   A remote user can cause the target server to consume a large amount of CPU resources.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ritlabs.com/tinyweb/index.html (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Vulnerability Under Tinyweb


This is a multi-part message in MIME format.
--------------030101020900000502030703
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



hi ,



------------------------------------------------------------------------
Do you Yahoo!?
The New Yahoo! Search
<http://us.rd.yahoo.com/search/mailsig/*http://search.yahoo.com> -
Faster. Easier. Bingo.

--------------030101020900000502030703
Content-Type: text/plain;
 name="TinyWeb.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="TinyWeb.txt"

10/07/03


-------------------------------------------------------

Application: TinyWEB Server
Web Site:    http://www.ritlabs.com/tinyweb/
Versions:    1.9
Platform:    Windows
Bug:         Denial of service vulnerability .
            
            
Credits:
########

#################################
#                               #
# Ziv Kamir                     #
#                               #
# Email : vulncode@yahoo.com    #
#                               #
#                               #
#################################

---------------------

1) Introduction
2) Bug
3) The Code
4) Fix


===============
1) Introduction
===============

TinyWeb is extremely small (executable file size is 53K), simple (no configuration other than through the command line) and fast (consumes
 minimum of system resources) Win32 daemon for regular (TCP/http) and secure (SSL/TLS/https) web servers. 


=======
2) Bug
=======

A remote user can issue an HTTP GET request for /cgi-bin/.%00./dddd.html To cause the server consume large 
amounts of CPU time ( 88% - 92% ) .

The cgi-bin Folder Must Be Exists .



===========
3) The Code
===========



======
4) Fix
======

Date of Vendor Notification:

08/07/03

Status:  



==============================================================================================

                 *** The Data is for educational purpose only. *** 

     The information in this bulletin is provided "AS IS" without warranty of any 
     kind. In no event shall we be liable for any damages whatsoever including 
     direct, indirect, incidental, consequential, loss of business profits or special damages. 

==============================================================================================



--------------030101020900000502030703--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC