SeaNox Devwex - Denial of Service and Directory traversal
From: Kistler Ueli (iuk@gmx.ch)Date: 06/08/02
- Previous message: Frog Man: "Security holes in LokwaBB and W-Agora"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 08 Jun 2002 20:27:59 +0200 From: Kistler Ueli <iuk@gmx.ch> To: Bugtraq <Bugtraq@SecurityFocus.com>
Affected: Seanox DevWex 1.2002.0520 Windows binary
Vulnerability: DoS and directory traversal using Win32 path delimiter
Risk: High (Code execution?)-Medium(DoS and directory traversal)
Vendor contacted: 26-5-2002
Vendor fix: http://www.seanox.de/projects.devwex.php4
DevWex is a small and flexible Webserver running as standalone win32
binary and as JAVA application.
Buffer-overflow problem:
It exists a buffer-overflow problem in the procedure handling a GET
command. Sending at least 258383 caracters with a GET command will crash
the server and make it inaccessible.
This could perhaps allow an attacker to execute shellcode.
Example: GET 258383xA+CRLF+CRLF
Directory traversal:
An attacker can request an URL containing Windows path delimiters to
break out of the
document root of DevWex. This allows an attacker to download sensitive data.
Example: GET /..\..\..\..\anyfile
Fix: Seanox has released a new version (1.2002.0601)
Regards,
Ueli Kistler
eclipse@packx.net / iuk@gmx.ch
www.packx.net / www.eclipse.fr.fm
Greetz to PackX Team
--
- Previous message: Frog Man: "Security holes in LokwaBB and W-Agora"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
