Public Vulnerability Reports

Denial of Service Vulnerability in Xeneo Web Server

11.04.02

BACKGROUND

Northern Solutions' Xeneo Web Server is a "fast, compact web server that makes it easy to set up and administer a web site on the Windows platform." More information about the application is available at http://www.northernsolutions.com/index.php?view=product&id=1.

DESCRIPTION

Due to the improper handling of a specially crafted web request, remote attackers may launch a denial of service attack against the PHP version of Xeneo. The condition is triggered when the web server receives a request for '%'. Upon successful exploitation, the web server will crash with a Microsoft Visual C++ runtime error message. The following is an example attack URL:

http://target.server/%

ANALYSIS

Any remote user with access to the application can launch this attack, thereby denying legitimate users access to the server and the contents and/or additional services provided.

DETECTION

Xeneo 2.1.0.0 (PHP version) and 2.0.759.6 are vulnerable.

WORKAROUND

Use a filtering web proxy server to help mitigate against exploitation.

VENDOR RESPONSE

Xeneo 2.1.5 and later should fix the problem. The latest release is version 2.1.6.0, and it can be downloaded at http://www.northernsolutions.com/downloads/xeneo_php_setup.exe.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1248 to this issue.

DISCLOSURE TIMELINE

10/06/2002 Issue disclosed to iDEFENSE
10/31/2002 Author notified
10/31/2002 iDEFENSE clients notified
10/31/2002 Response received from Robert Shanahan (rshan@northernsolutions.com)
11/04/2002 Public disclosure

CREDIT

Tamer Sahin (ts@securityoffice.net) discovered this vulnerability.