[NT] Resin DOS device Denial of Service

From: support@securiteam.com
Date: 06/17/02

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 17 Jun 2002 20:45:28 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Resin DOS device Denial of Service


It is possible for a malicious user to cause a Denial of Service by
requesting certain malformed URLs from the Resin web server.


Vulnerable systems:
 * Resin 2.1.1 standalone on Windows 2000 Server

Immune systems:
 * Resin 2.1.2 standalone on Windows 2000 Server

Requesting the DOS device "con" with a registered extension (e.g. .JSP or
XTP) will tie up a working thread. If a malicious user requests about 150
of these, the web server will no longer service http requests.

Vendor Response:
This was reported to the vendor on the 23rd of May, 2002. On the 28th of
May, 2002 the vendor released a new snapshot (beta) that corrected the
issue. On the 11th of June, 2002 the vendor released a new version that
corrects the issue.

Corrective action:
Upgrade to version 2.1.2 available from:
<http://www.caucho.com/download/> http://www.caucho.com/download/


The information has been provided by <mailto:pgrundl@kpmg.dk> Peter


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.