[21271] in bugtraq
4 New vulns. vWebServer and SmallHTTP
daemon@ATHENA.MIT.EDU (Extirpater)
Mon Jul 2 01:48:45 2001
Message-ID: <20010629200121.60305.qmail@web10107.mail.yahoo.com>
Date: Fri, 29 Jun 2001 13:01:21 -0700 (PDT)
From: Extirpater <extirpater@yahoo.com>
To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
vWebServer v1.2.0 (Others?)
----------------------------
Tested system: vWebServer v1.2.0 running under
Microsoft Windows 98 (Homepage/Download @
www.vwebserver.com)
1- ASP file source disclosing:
Adding a unicoded space character at the end of
requested URL, vWebServer shows the ASP file instead
of executing it.
Example:
An example request looks this
http://www.TargetHost.com/anything.asp%20
2- DOS device filename vulnerability:
Under Windows 9x, using any DOS device names (aux,
con, prn, ...) as a filename or directory crashes
Windows.
vWebServer doesn't filter those requests.
Below example crashes both web server and Windows with
a blue screen of death.
Example:
http://www.TargetHost.com/aux/aux
3- Very long URL vulnerability:
Requesting a very long URL (i tried 8192 bytes long)
will resulted in Error #5, File error.
After requesting 2-3 times the same URL, web server
will no longer response anything. Restart needed.
Example:
http://www.TargetHost.com/AAAAAAAAA...(Ax8192)...AAA
Vendor: Informed and confirmed.
SmallHTTP (All versions vulnerable: 2.x Stables, 3.x
Latest beta 8)
---------------------------------------------------------------------
Server crashes after sending very long URL a few
times.
Example:
GET /AAA...AAA (8192) HTTP/1.0
Accept: ...
Host: ...
.
.
.
Vendor: Informed and confirmed.
Credits: Melih SARICA (melihsar@yahoo.com )
Bilgiteks IT (msarica@bilgiteks.com)
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
