|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Peter Gründl (pgrundl
kpmg.dk)Date: Mon Jun 17 2002 - 02:27:10 CDT
--------------------------------------------------------------------
Title: Resin DOS device Denial of Service
BUG-ID: 2002022
Released: 17th Jun 2002
--------------------------------------------------------------------
Problem:
========
It is possible for a malicious user to cause a Denial of Service
by requesting certain malformed URLs from the Resin web server.
Vulnerable:
===========
- Resin 2.1.1 standalone on Windows 2000 Server
Not Vulnerable:
===============
- Resin 2.1.2 standalone on Windows 2000 Server
Details:
========
Requesting the DOS device "con" with a registered extension (eg. .jsp
or .xtp) will tie up a working thread. If a malicious user requests
about 150 of these, the web server will no longer service http
requests.
Vendor URL:
===========
You can visit the vendor webpage here: http://www.caucho.com
Vendor Response:
================
This was reported to the vendor on the 23rd of May, 2002. On the 28th
of May, 2002 the vendor released a new snapshot (beta) that corrected
the issue. On the 11th of June, 2002 the vendor released a new version
that corrects the issue.
Corrective action:
==================
Upgrade to version 2.1.2 available from:
http://www.caucho.com/download/
Author: Peter Gründl (pgrundlkpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]