[26526] in bugtraq
Re: Xitami Connection Flood Server Termination Vulnerability
daemon@ATHENA.MIT.EDU (Muhammad Faisal Rauf Danka)
Fri Aug 2 22:35:46 2002
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
Date: Fri, 2 Aug 2002 18:37:25 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com
Reply-To: mfrd@attitudex.com
Message-Id: <20020803013725.DEF393953@sitemail.everyone.net>
I tried the same method as you suggested on Xitami 2.5b5 for Win32,
but my results are a bit different.
I recieved following errors:
Service Unavailable error
It Ignores session request
Although i tried it using a perl script flooding the GET requests in a
loop, instead of using browser quickie, but yeah i had the maximum
number of concurrent sessions value set quiet low, as it was 100 only.
But if the bug is in the method of identifying the max sessions and
responding to it, then it should work even if it's set as 5.
So is it specific to some limit like more than $value number of
sessions, or could it be your hardware resources running out while your
tests?
Regards,
---------
Muhammad Faisal Rauf Danka
Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------
_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag
