JanaServer pna-proxy Real Player Request DoS

2004-11-30T00:00:00
ID OSVDB:12173
Type osvdb
Reporter Luigi Auriemma(aluigi@autistici.org)
Modified 2004-11-30T00:00:00

Description

Vulnerability Description

JanaServer2 contains a flaw that may allow a remote denial of service. The issue is due to an error in "pna-proxy" module when handling real player requests. By specifing a data block size bigger than the data really sent in a real player request, a remote attack can cause a endless loop and crash the server, resulting in a loss of availability.

Solution Description

Upgrade to version 2.4.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

JanaServer2 contains a flaw that may allow a remote denial of service. The issue is due to an error in "pna-proxy" module when handling real player requests. By specifing a data block size bigger than the data really sent in a real player request, a remote attack can cause a endless loop and crash the server, resulting in a loss of availability.

References:

Security Tracker: 1012365 Secunia Advisory ID:13333 Related OSVDB ID: 12172 Other Advisory URL: http://aluigi.altervista.org/adv/janados-adv.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0395.html Generic Exploit URL: http://aluigi.altervista.org/poc/janados.zip