Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: Cisco HTTP possible bug:
From: Jim Duncan (jnduncanCISCO.COM)
Date: Thu Apr 27 2000 - 21:15:33 CDT


Keith Woodworth writes:
> If you have:
> ip http server
> in your running config (not a great idea to have on a live router IMO) on
> your router and you do:
> http://>/%%
> it crashes said router. I confirmed this on my 1005 running 11.1(24) and
> another fellow said it worked on his 2621 and 2524. Though he didnt give
> IOS versions.
> Had to power cycle the 1005 to get it to work again. Couldnt reach it with
> telnet, http or via console cable.
> Just an observation.

Yep, it's a defect. We confirmed it and the development engineers are
working on it right now. We will post a formal advisory as soon as have a
reasonably complete fixed version section.

A workaround is to turn off management via HTTP by configuring:

    no ip http server

and saving the configuration so that it is not enabled at the next reload.

It would have been *really* nice to receive a direct notification about
this problem instead of posting it publicly. If Cisco didn't have a
response team or we failed to respond, I could understand posting it
directly to the list. All of the members of the Cisco Systems Product
Security Incident Response Team endorse the concept of full disclosure
forums like BUGTRAQ -- without them, you have no effective way to force
the vendor to attend to security vulnerabilities -- but simple politeness
should encourage some attempt to contact the responsible vendor before
blasting the vulnerability all over cyberspace.

We will follow up with any additional information as warranted. Please
send any queries, comments, etc., to psirtcisco.com
and not directly to
me. Thanks.


- --
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
E-mail: <jnduncancisco.com> Phone(Direct/FAX): +1 919 392 6209

Version: PGP 6.5.2