SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Abyss Web Server Vendors:   Aprelium Technologies
Abyss Web Server Bug in Processing MS-DOS Device Names Lets Remote Users Deny Service
SecurityTracker Alert ID:  1011812
SecurityTracker URL:  http://securitytracker.com/id/1011812
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 20 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): X1
Description:   R00tCr4ck of CHT Security Research Center reported a vulnerability in the Abyss Web Server. A reomte user can crash the target service on Windows-based systems.

It is reported that a remote user can submit an HTTP request for a URL containing a MS-DOS device name (e.g., CON, PRN, AUX) in the 'cgi-bin' directory to cause the web service to crash.

The service must be restarted to return to normal operations.

A demonstration exploit URL is provided:

http://[target]/cgi-bin/prn

Impact:   A remote user can cause the web service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.aprelium.com/abyssws/index.html (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MS-DOS Device Name Denial Of Service Vulnerability in Abyss Web


#####################################
# CHT Security Research Center-2004 #
# http://www.CyberSpy.Org           #
# Turkey                            #
#####################################

Software:
Abyss Web Server X1 for Windows

Web Site:
http://www.aprelium.com/

Affected Version(s):
X1

Description:
Abyss Web Server X1 is a free personal web server available for Windows, MacOS
X, Linux, and FreeBSD operating systems.


Official Description from the web site:
"Abyss Web Server is based on the APX architecture.
APX, which stands for Anti-crash Protection eXtension, was created, here at
Aprelium, to make the server crash-proof.
If it happens that the software causes a critical error and crashes (which is by
the way very improbable),
a report will be generated if possible and the server is automatically
restarted.
The downtime in such a case won't last more than 1 second!
Anti-crash protection system guarantees 100% uptime!"

There is MS-DOS Device Name Denial Of Service Vulnerability in Abyss Web Server
X1 for Windows:

It is possible to remotely crash a system running Abyss Web Server X1 by
submitting URL requests for a MS-DOS devicename
such as con,prn,aux in the cgi-bin folder (cgi-bin directory comes with default
installation)A restart of the server service is required in order to gain
normal functionality.

Example:

http://[victim]/cgi-bin/prn

----
Reported By R00tCr4ck at October,20 2004
root(at)CyberSpy.Org
Original Article can be found at:
http://www.CyberSpy.Org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC