[26528] in bugtraq
Re: Xitami Connection Flood Server Termination Vulnerability
daemon@ATHENA.MIT.EDU (mattmurphy@kc.rr.com)
Sat Aug 3 13:05:27 2002
Date: 3 Aug 2002 02:33:58 -0000
Message-ID: <20020803023358.23380.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <mattmurphy@kc.rr.com>
To: bugtraq@securityfocus.com
In-Reply-To: <20020803013725.DEF393953@sitemail.everyone.net>
>Although i tried it using a perl script flooding the GET requests in a
>loop, instead of using browser quickie, but yeah i had the maximum
>number of concurrent sessions value set quiet low, as it was 100 only.
>
A little correction on the connection setting. My config was reset during maintenence, and was actually set at *infinite* connections, but Xitami ceased to respond at about 11 connections on my box. The denial of service condition appears to be an overloaded piece of code in a library/core module. It appears to be max-ed out when Xitami stops checking for new session requests. However, what puzzles me is *why* the service is halting checks when it has no connection limit set.
