Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13
HistoryApr 05, 2000 - 12:00 a.m.

Re: Denial of Service in Xitami webserver all versions...

2000-04-0500:00:00
vulners.com
26
JSON

Xitami also has an overflow in one of the default example CGI programs that
it comes with.

http://server.com/cgi-bin/TESTCGI.EXE bla bla bla overflow argv fun.

Signed,
Marc
eEye Digital Security
http://www.eEye.com

"Its a bullshit, three ring, circus sideshow. The only way to fix it is to
flush it all away."

-----Original Message-----
| From: VULN-DEV List [mailto:[email protected]]On Behalf Of
| Simon
| Sent: Tuesday, April 04, 2000 12:52 PM
| To: [email protected]
| Subject: Re: Denial of Service in Xitami webserver all versions…
|
|
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| VULN-DEV, how-do-you-do!
|
| I received a response from IMATIX after forwarding the posts from
| VULN-DEV re remotely crashing Xitami webserver by sending
| simple GET
| command. They immediately released 2.4d7 with fix. Also, they have
| said that they will now change default install behaviour
| of Xitami to
| not allow anon FTP logins.
|
|
| –
|
| Slбn anois,
|
| Sнomуn Breathnach
|
|
| Obiter dictum: Entia non sunt multiplicanda praeter necessitatem.
|
|
| ------------------------------>>><><<<------------------------------
|
| How To Get In Touch
| v===v===v===v===v===v===v
| Send Email To: [email protected]
| Fax & Voicemail: 01792 540900 (+44)
|
| Pretty Good Privacy
| v===v===v===v===v===v===v
| PGP: http://www.pgp.com
| Public Key: http://www.netbanger.com/pgp/pubkey.shtml
| Key Server: ldap://certserver.pgp.com
|
| Very Useful Links
| v===v===v===v===v===v===v
| The Bat!: http://www.ritlabs.com/the_bat/index.html
| Notetab: http://www.notetab.com
|
|
| ------------------------------>>><><<<------------------------------
|
|
| >>Anyone can remotely crash Xitami webserver by sending simple GET
| >>command. On remote side will be:
| >>
| >>Assertion Failed!
| >>Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745
| >>
| >>All you need to do is just telnet to remote computer and execute
| >>GET<space><enter><enter> command. Also Xitami will crash if
| you'll execute
| >>POST<space><enter><enter> or HEAD<space><enter><enter> command.
| >>
| >>
| >>There is another DoS in Xitami. By default installation Xitami
| >>allows anonymous users on ftp. So connect to remote computer as
| >>anonymous user and execute cd con/con command.
| >>-----------------------------
| >>
| >>[email protected]
| >
| >Tried to bring it down from a remote account which failed, got std http
| >error msg back.
| >Version Xitami 2.4d1 on Winx, set up for this one on http 8080, without
| >authorisation or ipmasks.
| >
| >Are you sure it ain't because you used a beta version?
| >Or did you test some previous versions as well?
| >Is it in the console or the std. version?
| >Did you compile it yourself or did you get a precompiled version?
| >
| >
| >Questions, questions…
| >
| >Cheers, Mitch.
|
| -----BEGIN PGP SIGNATURE-----
| Version: PGP 6.5i
| Comment: Privacy is freedom. Protect your freedom with PGP.
|
| iQA/AwUBOOpHxctub/5cfolmEQIpxgCg6s4xL6BxSHg6d1bwacBlFTb7dqAAn3rQ
| QH+S43I03/WV3n5rHJVcgbcO
| =eyM3
| -----END PGP SIGNATURE-----
|

JSON