Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: xitami3.htm

Xitami Web Server - crash it with a simple GET!



Vulnerability

    Xitami

Affected

    Xitami

Description

    Simon  Breathnach  found  following.   Anyone  can  remotely crash
    Xitami webserver by  sending simple GET  command.  On  remote side
    will be:

        Assertion Failed!
        Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745

    All you need to do is just telnet to remote computer and execute

        GET<space><enter><enter>

    command.  Also Xitami will crash if you'll execute

        POST<space><enter><enter>

    or

        HEAD<space><enter><enter> command.

    There is another  DoS in Xitami.   By default installation  Xitami
    allows anonymous users on ftp.   So connect to remote computer  as
    anonymous user and execute cd con/con command.

Solution

    Xitami 2.4d7 and 2.5b3 were released fixing the DoS bugs  reported
    here and elsewhere.  The latest 2.5b3 beta also corrects a  number
    of big issues in the previous betas, and is being used heavily  on
    a  number  of  sites,  with  apparent  success.  The latest GSLgen
    (GSLgen/2.0) is provided  in the beta  package.  Your  old GSL/1.3
    scripts *won't* work without changes - the language has evolved...


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH