Reported October 9, 2003 by Ziv Kamir.

 

 

VERSIONS AFFECTED

 

Ritlabs TinyWeb 1.9

 

DESCRIPTION

 

A Denial of Service (DoS) vulnerability exists in Ritlabs TinyWeb 1.9. By sending a specially formed HTTP GET request, an attacker can crash the server.

 

DEMONSTRATION
 
The discoverer posted the following demonstration as proof of concept:

 

A remote user can issue an HTTP GET request for /cgi-bin/.%00./dddd.html and cause the server to consume large amounts of CPU time (88%-92%)

 

VENDOR RESPONSE

 

Ritlabs has been notified.

 

CREDIT                                                                                                       

Discovered by Ziv Kamir.