[NT] Jigsaw Webserver DOS device DoS
From: support@securiteam.comDate: 07/17/02
- Previous message: support@securiteam.com: "[EXPL] Stealing Hotmail.com Cookie and User Login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 17 Jul 2002 12:56:03 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Jigsaw Webserver DOS device DoS
------------------------------------------------------------------------
SUMMARY
<http://www.w3.org/> Jigsaw is W3C's leading-edge Web server platform,
providing a sample HTTP 1.1 implementation and a variety of other features
on top of an advanced architecture implemented in Java. A malicious user
can tie up working threads on the web server. When the web server runs out
of working threads, the webserver will no longer service web requests.
DETAILS
Vulnerable systems:
* Jigsaw V2.2.1 Distribution on Windows 2000 Server
Immune systems:
* Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server
Requests for /servlet/con never times out, and approximately 30 of these
requests are enough to tie up all working threads on the server. The
service needs to be restarted to recover.
Vendor response:
The vendor was notified on 27 May 2002. On 12 July, we verified that the
problem was corrected in the latest build (s020711).
Solution:
Upgrade to a newer version. This issue was first resolved in build
s020711, available here: <http://www.caucho.com/download/index.xtp>
http://www.caucho.com/download/index.xtp
ADDITIONAL INFORMATION
The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] Stealing Hotmail.com Cookie and User Login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: Macro code
... >> All a web server is, is a program that accepts incoming connection
... >> requests, grants a connection, and satisfy's requests. ... the array
index to designate which thread should use it. ... (comp.os.vms) - Re: Only 2 concurrent connections with window.open()?
... I am using client side JScript in Internet Explorer 6 SP1 to use a page to ...
new browser windows get opened as expected, and it is evident that all are ... Active Server
Pages 'Requests Executing' and 'Requests Queued' counters on ... client browser at any
one time, i.e. they never reach the web server until ... (microsoft.public.scripting.jscript) - Re: Update Performance
... that your transaction log file is on. ... >I have a stored procedure
that is executed on every web request that we ... > On the web server, I get about 50
Requests a second. ... > If I comment out this line, I get about 350 Requests a second.
... (microsoft.public.sqlserver.programming) - [NT] Resin DOS device Denial of Service
... requesting certain malformed URLs from the Resin web server. ... the web
server will no longer service http requests. ... corrects the issue. ...
(Securiteam) - Re: [SLE] MAC address authentication
... >> a MAC address in a database to use the web. ... be a linux box with
iptables set up, and run a web server capable of PHP ... So, now any outgoing DNS requests
get allowed through, and any http web ... in a database rather than just creating the iptables
rules is a good idea, ... (SuSE)
