[NT] Resin DOS device Denial of Service

From: support@securiteam.com
Date: 06/17/02


From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 17 Jun 2002 20:45:28 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Resin DOS device Denial of Service
------------------------------------------------------------------------

SUMMARY

It is possible for a malicious user to cause a Denial of Service by
requesting certain malformed URLs from the Resin web server.

DETAILS

Vulnerable systems:
 * Resin 2.1.1 standalone on Windows 2000 Server

Immune systems:
 * Resin 2.1.2 standalone on Windows 2000 Server

Requesting the DOS device "con" with a registered extension (e.g. .JSP or
XTP) will tie up a working thread. If a malicious user requests about 150
of these, the web server will no longer service http requests.

Vendor Response:
This was reported to the vendor on the 23rd of May, 2002. On the 28th of
May, 2002 the vendor released a new snapshot (beta) that corrected the
issue. On the 11th of June, 2002 the vendor released a new version that
corrects the issue.

Corrective action:
Upgrade to version 2.1.2 available from:
<http://www.caucho.com/download/> http://www.caucho.com/download/

ADDITIONAL INFORMATION

The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Macro code
    ... >> All a web server is, is a program that accepts incoming connection ... >> requests, grants a connection, and satisfy's requests. ... the array index to designate which thread should use it. ...
    (comp.os.vms)
  • Re: Only 2 concurrent connections with window.open()?
    ... I am using client side JScript in Internet Explorer 6 SP1 to use a page to ... new browser windows get opened as expected, and it is evident that all are ... Active Server Pages 'Requests Executing' and 'Requests Queued' counters on ... client browser at any one time, i.e. they never reach the web server until ...
    (microsoft.public.scripting.jscript)
  • Re: What classes do I use to create a web proxy
    ... You could use a TcpListener object to listen for requests from the desktop application, and a TcpClient to connect to the original web server. ... You say that you "do not want to create a web service proxy nor do I want to do anything with web services". ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: What classes do I use to create a web proxy
    ... You could use a TcpListener object to listen for requests from the desktop ... You say that you "do not want to create a web service proxy nor do I want to ... timeout and the web server regularly exceeds this, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Update Performance
    ... that your transaction log file is on. ... >I have a stored procedure that is executed on every web request that we ... > On the web server, I get about 50 Requests a second. ... > If I comment out this line, I get about 350 Requests a second. ...
    (microsoft.public.sqlserver.programming)