Vulnerability

    Xitami

Affected

    Xitami

Description

    Simon  Breathnach  found  following.   Anyone  can  remotely crash
    Xitami webserver by  sending simple GET  command.  On  remote side
    will be:

        Assertion Failed!
        Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745

    All you need to do is just telnet to remote computer and execute

        GET<space><enter><enter>

    command.  Also Xitami will crash if you'll execute

        POST<space><enter><enter>

    or

        HEAD<space><enter><enter> command.

    There is another  DoS in Xitami.   By default installation  Xitami
    allows anonymous users on ftp.   So connect to remote computer  as
    anonymous user and execute cd con/con command.

Solution

    Xitami 2.4d7 and 2.5b3 were released fixing the DoS bugs  reported
    here and elsewhere.  The latest 2.5b3 beta also corrects a  number
    of big issues in the previous betas, and is being used heavily  on
    a  number  of  sites,  with  apparent  success.  The latest GSLgen
    (GSLgen/2.0) is provided  in the beta  package.  Your  old GSL/1.3
    scripts *won't* work without changes - the language has evolved...