OpenConnect WebConnect may stop responding after processing an HTTP request with an MS-DOS device name in it.
OpenConnect Webconnect provides secured web access and emulation services for backend mainframes and UNIX servers. Versions of Webconnect prior to 6.4.5 and 6.5.1 running on Windows OS may stop responding after processing an HTTP GET or POST request with an MS-DOS device name in it. All HTTP and emulation services supported by Webconnect may be affected after such an attack.
OpenConnect WebConnect running on Windows OS may experience a denial-of-service condition after processing MS-DOS device names in HTTP requests.
Affected sites should upgrade to a corrected version of WebConnect, versions 6.4.5 and 6.5.1. Licensed users can send mail to OpenConnect technical support mailto: email@example.com, or call +1-972-888-0678.
Vendor| Status| Date Notified| Date Updated
OpenConnect| | 21 Dec 2004| 20 Feb 2005
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Dennis Rand of the Danish Computer Incident Response Team for reporting this vulnerability.
This document was written by Jeff S Havrilla, with contributions from Dennis Rand and the OpenConnect WebConnect Development team.