[NT] TinyWeb Server Denial of Service Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 10/09/03

  • Next message: SecuriTeam: "[NEWS] SNAP Innovation's PrimeBase Database Default File Permissions and Symlinks Vulnerabilities" 
    To: list@securiteam.com
Date: 9 Oct 2003 17:39:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      TinyWeb Server Denial of Service Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ritlabs.com/tinyweb/> TinyWeb is "extremely small (executable
    file size is 53K), simple (no configuration other than through the command
    line) and fast (consumes minimum of system resources) Win32 daemon for
    regular (TCP/http) and secure (SSL/TLS/https) web servers".

    A vulnerability in the product allows remote attackers to cause the server
    to crash by sending it a special request.

    DETAILS

    Vulnerable systems:
     * TinyWeb version 1.9

    A remote user can issue an HTTP GET request for /cgi-bin/.%00./dddd.html
    and cause the server consume large amounts of CPU time (88%-92%).

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:vulncode@yahoo.com> Ziv
    Kamir.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] SNAP Innovation's PrimeBase Database Default File Permissions and Symlinks Vulnerabilities"

    Relevant Pages

    • [NT] SMSGate Denial of Service
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the way SMSGate handles incoming HTTP ... When a too big HTTP Content-Length value is received, the server tries to ...
      (Securiteam)
    • [NT] Directory Traversal Exploit in SD Server
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SD Server is very easy to install, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NEWS] SCI Photo Chat Server Cross Site Scripting
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... chat server that supports multimedia pictures, sounds, or even videos. ...
      (Securiteam)
    • [UNIX] PrimeBase SQL Database Server Clear Text Password Storage
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The PrimeBase SQL Database Server stores ... Administrator password during installation. ...
      (Securiteam)
    • [NT] Fastream NETFile FTP/WebServer CSS Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Fastream NETFile Server ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)