[VulnWatch] MS-DOS Device Name Denial Of Service Vulnerability in Abyss Web Server X1 for Windows

From: R00tCr4ck (root_at_cyberspy.org)
Date: 10/20/04

  • Next message: NSFOCUS Security Team: "[VulnWatch] NSFOCUS SA2004-02 : HP-UX stmkfont Local Privilege Escalation Vulnerability"
    Date: Wed, 20 Oct 2004 14:36:33 +0000
    To: bugtraq@securityfocus.com, vuln@secunia.com, bugs@securitytracker.com, vulnwatch@vulnwatch.org
    
    

    #####################################
    # CHT Security Research Center-2004 #
    # http://www.CyberSpy.Org #
    # Turkey #
    #####################################

    Software:
    Abyss Web Server X1 for Windows

    Web Site:
    http://www.aprelium.com/

    Affected Version(s):
    X1

    Description:
    Abyss Web Server X1 is a free personal web server available for Windows, MacOS
    X, Linux, and FreeBSD operating systems.

    Official Description from the web site:
    "Abyss Web Server is based on the APX architecture.
    APX, which stands for Anti-crash Protection eXtension, was created, here at
    Aprelium, to make the server crash-proof.
    If it happens that the software causes a critical error and crashes (which is by
    the way very improbable),
    a report will be generated if possible and the server is automatically
    restarted.
    The downtime in such a case won't last more than 1 second!
    Anti-crash protection system guarantees 100% uptime!"

    There is MS-DOS Device Name Denial Of Service Vulnerability in Abyss Web Server
    X1 for Windows:

    It is possible to remotely crash a system running Abyss Web Server X1 by
    submitting URL requests for a MS-DOS devicename
    such as con,prn,aux in the cgi-bin folder (cgi-bin directory comes with default
    installation)A restart of the server service is required in order to gain
    normal functionality.

    Example:

    http://[victim]/cgi-bin/prn

    ----
    Reported By R00tCr4ck at October,20 2004
    root(at)CyberSpy.Org
    Original Article can be found at:
    http://www.CyberSpy.Org
    

  • Next message: NSFOCUS Security Team: "[VulnWatch] NSFOCUS SA2004-02 : HP-UX stmkfont Local Privilege Escalation Vulnerability"