logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Xeneo Web Server URL Encoding Denial of Service
Date: 2003-04-23

Author : Carsten H. Eiram <che@secunia.com>

=================================================

Secunia Research 23/04/2003

- Xeneo Web Server URL Encoding Denial of Service -

=================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/

=================================================
Table of Contents
1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification

=================================================
1) Affected Software

Xeneo Web Server 2.2.9 and prior.

=================================================
2) Severity

Rating: Moderately critical
Impact: Denial of Service
Where: From Remote

=================================================
3) Vendor's Description of Software

"Xeneo Web Server is designed to deliver high performance and
reliability. It can be easily extended and customized to host
everything from a personal web site to advanced web applications that
use ASP, PHP, ColdFusion, Perl, CGI and ISAPI."

"Key Xeneo Web Server features include: multiple domain support,
integrated Windows authentication, scripting interface, enhanced
filter support, ISAPI, CGI, ASP, SSL, intelligent file caching and
more."

Vendor:
http://www.northernsolutions.com

=================================================
4) Description of Vulnerability

A vulnerability in Xeneo Web Server can be exploited by malicious
people to cause a DoS (Denial of Service) on the web service.

The vulnerability is caused due to an error in the handling of
requests including a malformed URL encoding representation of a
character. By sending a request like the following, "xeneo.exe" will
crash with a runtime error.

Example:
http://[victim]/%A

The web service needs to be restarted manually before functionality
is restored.

=================================================
5) Solution

The vendor quickly responded by releasing version 2.2.10.

http://www.northernsolutions.com/index.php?view=product&sec=download&id=1

=================================================
6) Time Table

22/04/2003 - Vulnerability discovered.
22/04/2003 - Vendor notified.
23/04/2003 - Vendor response.
23/04/2003 - Public disclosure.

=================================================
7) Credits

Discovered by Carsten H. Eiram, Secunia Research.

=================================================
8) About Secunia

Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public.
These advisories are gathered in a publicly available database at the
Secunia website:

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://www.secunia.com/secunia_security_advisories/

=================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2003-5/

=================================================



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy