Gattaca Server 2003 web.tmpl Language Variable CPU Utilization

2004-07-15T07:17:10
ID OSVDB:7924
Type osvdb
Reporter Dr_insane(dr_insane@pathfinder.gr)
Modified 2004-07-15T07:17:10

Description

Vulnerability Description

Gattaca Server 2003 contains a flaw that may allow a Remote denial of service. The issue is triggered when malformed HTTP requests are issued using input passed to the "TEMPLATE" and "LANGUAGE" parameters in the "web.tmpl" script - such input is not validated and causes large amounts of CPU processing. Additionally, the server can be crashed by establishing 600 concurrent connections.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Gattaca Server 2003 contains a flaw that may allow a Remote denial of service. The issue is triggered when malformed HTTP requests are issued using input passed to the "TEMPLATE" and "LANGUAGE" parameters in the "web.tmpl" script - such input is not validated and causes large amounts of CPU processing. Additionally, the server can be crashed by establishing 600 concurrent connections.

Manual Testing Notes

http://[victim]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/ http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../ http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=. http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/ http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=\ http://[victim]/web.tmpl?HELPID=8000&TEMPLATE=skins//[whatever]&LANGUAGE=lang//en

References:

Secunia Advisory ID:12071 Related OSVDB ID: 7922 Related OSVDB ID: 7926 Related OSVDB ID: 7923 Related OSVDB ID: 7927 Related OSVDB ID: 7925 Other Advisory URL: http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt