Vulnerability

    SmallHTTPServer

Affected

    SmallHTTPServer 2.01

Description

    Following is based on a 403-security Security Advisory by Kotarac
    Ante.

    1st Problem:
    By  default  if  user  send  request  without  file name specified
    (http://host/subdirectory/)  HTTPServer  will  look for index.html
    in that folder and if doesn't exist it will fill memory with  68K.
    Directory doesn't  need to  exist.   So anyone  can write  a small
    program that sends lot requests to fill out memory.  (5000 request
    will fill 300Mb of memory)

    2nd Problem:
    SmallHTTPServer  supports  ServerSidesIncludes.   When  HTTPServer
    finds SSI Tag that looks like this <!--#tag_name= <*EMPTY> --> it
    will   crash.      #tag_name    can    be   any    of    supported
    (#fsize,#include,#printenv...). In order to execute SSI tags  file
    must be *.shtm or *.shtml.

    3rd Problem:
    This insecure  Server will  crash if  attacker sends  out few GET,
    HEAD  or  POST  requests  and  closes  connection  before   Server
    answered.

Solution

    Vendor fixed this problem by issuing new version (2.03).