[VulnWatch] iDEFENSE Security Advisory 11.04.02b: Denial of Service Vulnerability in Xeneo Web ServerFrom: David Endler (firstname.lastname@example.org)
- Previous message: David Endler: "[VulnWatch] iDEFENSE Security Advisory 11.04.02a: Pablo FTP Server DoS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Endler" <email@example.com> To: firstname.lastname@example.org Date: Mon, 4 Nov 2002 00:46:47 -0500
-----BEGIN PGP SIGNED MESSAGE-----
iDEFENSE Security Advisory 11.04.02b:
Denial of Service Vulnerability in Xeneo Web Server
November 4, 2002
Northern Solutions' Xeneo Web Server is a "fast, compact web server
that makes it easy to set up and administer a web site on the Windows
platform." More information about the application is available at
Due to the improper handling of a specially crafted web request,
remote attackers may launch a denial of service attack against the
PHP version of Xeneo. The condition is triggered when the web server
receives a request for '%'. Upon successful exploitation, the web
server will crash with a Microsoft Visual C++ runtime error message.
The following is an example attack URL:
Any remote user with access to the application can launch this
attack, thereby denying legitimate users access to the server and the
contents and/or additional services provided.
Xeneo 220.127.116.11 (PHP version) and 2.0.759.6 are vulnerable.
Use a filtering web proxy server to help mitigate against
VI. VENDOR FIX
Xeneo 2.1.5 and later should fix the problem. The latest release is
version 18.104.22.168, and it can be downloaded at
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1248 to this issue.
VIII. DISCLOSURE TIMELINE
10/06/2002 Issue disclosed to iDEFENSE
10/31/2002 Author notified
10/31/2002 iDEFENSE clients notified
10/31/2002 Response received from Robert Shanahan
11/04/2002 Public disclosure
Tamer Sahin (email@example.com) discovered this vulnerability.
Get paid for security research
Subscribe to iDEFENSE Advisories:
send email to firstname.lastname@example.org, subject line: "subscribe"
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
David Endler, CISSP
Director, Technical Intelligence
14151 Newbrook Drive
Chantilly, VA 20151
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
-----END PGP SIGNATURE-----