[25811] in bugtraq
KPMG-2002021: Resin Large Parameter Denial of Service
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Mon Jun 17 11:53:03 2002
Message-ID: <00b401c215cf$e8d80540$2800a8c0@kpmgamu1nhszw2>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <pgrundl@kpmg.dk>
To: "bugtraq" <bugtraq@securityfocus.com>
Date: Mon, 17 Jun 2002 09:23:42 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
--------------------------------------------------------------------
Title: Resin Large Parameter Denial of Service
BUG-ID: 2002021
Released: 17th Jun 2002
--------------------------------------------------------------------
Problem:
========
It is possible for a malicious user to cause a Denial of Service
by requesting certain malformed URLs from the Resin web server.
Vulnerable:
===========
- Resin 2.1.1 standalone on Windows 2000 Server
Not Vulnerable:
===============
- Resin 2.1.2 standalone on Windows 2000 Server
Details:
========
By defining large variables when accessing non-existant ressources,
it is possible to consume the entire workspace on the server. This
will result in hanging parts of or the entire web server.
Vendor URL:
===========
You can visit the vendor webpage here: http://www.caucho.com
Vendor Response:
================
This was reported to the vendor on the 22nd of May, 2002. On the 11th
of June, 2002 the vendor released a new version that corrects the
issue.
Corrective action:
==================
Upgrade to version 2.1.2 available from:
http://www.caucho.com/download/
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
