OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Mon Jan 22 2001 - 19:39:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----Original Message-----
    From: PeterGründl
    Sent: Monday, January 22, 2001 5:31 AM
    Subject: def-2001-05: Netscape Fasttrack Server Caching DoS

    ======================================================================
                       Defcom Labs Advisory def-2001-05

                    Netscape Fasttrack Server Caching DoS

    Author: Peter Gründl <peter.grundldefcom.com>
    Release Date: 2001-01-22
    ======================================================================
    ------------------------=[Brief Description]=-------------------------
    The Fasttrack 4.1 server has problems with its caching module. The
    problem can result in all the server memory being consumed and thus
    causing the server to perform very sluggishly.

    ------------------------=[Affected Systems]=--------------------------
    - Netscape Fasttrack Server 4.1 for Windows NT 4.0

    ----------------------=[Detailed Description]=------------------------
    The Fasttrack 4.1 server caches requests for non-existing URLs with
    valid extensions (eg. .html). The cached ressources are not freed
    again (at least not after half an hour), so a malicious user could
    cause the web server to perform very sluggishly, simply by requesting
    a lot of non-existing html-documents on the web server.

    ---------------------------=[Workaround]=-----------------------------
    None known.

    -------------------------=[Vendor Response]=--------------------------
    This issue was brought to the vendor's attention on the 7th of
    December, 2000. Vendor replied that the Fasttrack server is not meant
    for production environments and as that, the issue will not be fixed.

    ======================================================================
                 This release was brought to you by Defcom Labs

                   labsdefcom.com www.defcom.com
    ======================================================================

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net