Abyss Web Server MS-DOS Device Names DoS

2004-10-20T09:36:33
ID OSVDB:11006
Type osvdb
Reporter R00tCr4ck(root@cyberspy.org)
Modified 2004-10-20T09:36:33

Description

Vulnerability Description

Abyss Web Server contains a flaw that may allow a remote denial of service. The issue is triggered when the attacker submits an HTTP request for a URL containing a MS-DOS device name (con, prn, aux, etc.) in the cgi-bin directory, and will result in loss of availability for the service.

Solution Description

Upgrade to version 1.2.3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Abyss Web Server contains a flaw that may allow a remote denial of service. The issue is triggered when the attacker submits an HTTP request for a URL containing a MS-DOS device name (con, prn, aux, etc.) in the cgi-bin directory, and will result in loss of availability for the service.

Manual Testing Notes

http://[victim]/cgi-bin/con http://[victim]/cgi-bin/prn http://[victim]/cgi-bin/aux

References:

Vendor URL: http://www.aprelium.com/ Security Tracker: 1011812 Secunia Advisory ID:12900 Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0014.html