OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: neme-dhchushmail.com
Date: Mon May 07 2001 - 19:31:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ Advisory for Jana Webserver ]
     [ Site: http://www.janaserver.de ]
     [ by nemesystm of the DHC ]
     [ (http://dhcorp.cjb.net - neme-dhchushmail.com) ]
     [ ADV-0112 ]

    /-|=[explanation]=|-\
    Jana Webserver is well, a webserver. It has a
    hex-encoded dot dot bug and a denial of service.

    /-|=[who is vulnerable]=|-\
    Tested to be vulnerable to the hex-encoded dot dot
    bug are:
    Jana Webserver v1.45
    Jana Webserver v1.46
    All older versions are assumed to be vulnerable as
    well.
    Tested to be vulnerable to the denial of service
    are:
    Jana Webserver v1.45
    Jana Webserver v1.46
    Jana Webserver v2.0 Beta 1
    On Windows 98/ME AND Windows NT 4.0
    All older versions are assumed to be vulnerable as
    well.

    /-|=[testing it]=|-\
    To test this vulnerability, try the following.
    www.server.com/%2e%2e/%2e%2e/%2e%2e/scandisk.log
    Add or remove %2e%2e/'s to reflect the directory
    Jana was installed in.
    The denial of service can be tested by requesting
    www.server.com/aux

    /-|=[fix]=|-\
    is fixed in the next release of Jana.
    Free, encrypted, secure Web-based email at www.hushmail.com