Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: vws~1.htm

vWebServer show-code vulnerability



Vulnerability

    vWebServer

Affected

    vWebServer

Description

    Extirpater found following.

    1- ASP file source disclosing:
    ==============================
    Adding a  unicoded space  character at  the end  of requested URL,
    vWebServer  shows  the  ASP  file  instead  of  executing  it.  An
    example request looks this

        http://www.TargetHost.com/anything.asp%20

    2- DOS device filename vulnerability:
    =====================================
    Under Windows 9x, using any DOS device names (aux, con, prn,  ...)
    as a filename  or directory crashes  Windows.  vWebServer  doesn't
    filter those requests.

    Below example  crashes both  web server  and Windows  with a  blue
    screen of death.  Example:

        http://www.TargetHost.com/aux/aux

    3- Very long URL vulnerability:
    ===============================
    Requesting a very long URL (tested 8192 bytes long) will  resulted
    in Error  #5, File  error.   After requesting  2-3 times  the same
    URL, web server will no longer response anything.  Restart needed.
    Example:

        http://www.TargetHost.com/AAAAAAAAA...(Ax8192)...AAA

   Credit goes to Melih SARICA and Bilgiteks IT.

Solution

    Informed and confirmed.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH