Mbedthis AppWeb Can Be Crashed By Remote Users
|
|
SecurityTracker Alert ID: 1008848 |
|
SecurityTracker URL: http://securitytracker.com/id/1008848
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Feb 3 2004
|
Original Entry Date: Jan 26 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.0.0
|
Description:
Ziv Kamir of Global Security Solution IT (GSSIT) reported a vulnerability in the Mbedthis AppWeb web server software. A remote user can crash the web service.
It is reported that a remote user can send any of the following types of HTTP requests to the target server to cause the web service to crash:
OPTIONS
GET /COM1 HTTP/1.0
GET /LPT1 HTTP/1.0
The vendor was reportedly notified on January 25, 2004.
|
Impact:
A remote user can cause the web service to crash.
|
Solution:
The vendor has issued a fixed version (1.0.1), available at:
http://www.mbedthis.com/downloads/appWeb/info.php
http://www.mbedthis.com/downloads/appWeb/index.html
|
Vendor URL: www.mbedthis.com/products/appWeb/index.html (Links to External Site)
|
Cause:
Exception handling error
|
Underlying OS:
Windows (NT), Windows (95), Windows (98), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 26 Jan 2004 00:57:51 -0800 (PST)
Subject: Mbedthis AppWeb
|
This is a multi-part message in MIME format.
--------------070409000304090204010105
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
------------------------------------------------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. *Try it!*
<http://us.rd.yahoo.com/evt=21608/*http://webhosting.yahoo.com/ps/sb/>
--------------070409000304090204010105
Content-Type: text/plain;
name="AppWeb.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="AppWeb.txt"
26/01/04
====================================
GSSIT - Global Security Solution IT
====================================
-------------------------------------------------------
Application: Mbedthis AppWeb
Web Site: http://www.mbedthis.com
Versions: 1.0.0
Platform: Tested On win2k
Bug : D.O.S
Credits:
########
#########################################
# == Ziv Kamir == #
# #
# GSSIT - Global Security Solution IT #
# #
# Email : gss_it@yahoo.com #
# #
# #
#########################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
================
1) Introduction
================
Mbedthis AppWeb is the first embedded web server that has been designed
from the start with security in mind. It is a very fast, small-footprint,
standards based server specifically developed for use by applications and embedded devices.
=======
2) Bug
=======
A remote user can Crash the WEb Server
===========
3) The Code
===========
a remote user can send the following requests to Crash The Server :
1) OPTIONS
2) GET /COM1 HTTP/1.0
3) GET /LPT1 HTTP/1.0
======
4) Fix
======
Date of Vendor Notification:
----------------------------
25/01/04
Response:
---------
Thanks for the feedback,
==============================================================================================
*** The Data is for educational purpose only. ***
The information in this bulletin is provided "AS IS" without
warranty of any kind. In no event shall we be liable for any
damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
==============================================================================================
--------------070409000304090204010105--
|
|
