SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Fastream NETFile Server Vendors:   Fastream Technologies
Fastream NETFile Server HEAD Connection Errors Let Remote Users Consume All Available Connections
SecurityTracker Alert ID:  1012267
SecurityTracker URL:  http://securitytracker.com/id/1012267
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 19 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.1.2
Description:   bratax ck reported a vulnerability in Fastream NETFile Server. A remote user can cause denial of service conditions.

It is reported that the web service does not properly process 'keepalive' connection timeouts for HTTP HEAD requests. The service fails to close HEAD request connections. A remote user can make multiple HEAD requests to consume all available connections and deny service to other users.

Impact:   A remote user can prevent other users from connecting to the web service.
Solution:   The vendor has released a fixed version (7.1.3), available at:

http://www.fastream.com/download.htm

Vendor URL:  www.fastream.com/products.htm (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Fastream NETFile FTP/Web Server HEAD Request Processing Lets Remote User Deny Service


Impact: A remote user can make the Fastream Web Server deny serivce to
other users

Vendor URL: http://www.fastream.com/

Vulnerable Versions: Tested on Fastream NETFile FTP/Web Server 7.1.2
Professional - Previous versions probably vulnerable as well (not
tested).

Description:
Fastream NETfile FTP/Web Server improperly handles the timeout on
"keepalive" connections after making a HEAD request to the web server.
When a remote user sends a HEAD request, the web server doesn't close
the connection with the client. This makes it possible for a remote
user to use all the available connections and thus make the software
deny service to other users.

Solution/Status:
Vendor has been contacted and has released a fixed version (7.1.3)

-- 
bratax ck
bratax@gmail.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC