Reported October 9, 2003 by Ziv Kamir.

 

 

VERSIONS AFFECTED

 

Ritlabs TinyWeb 1.9

 

DESCRIPTION

 

A Denial of Service (DoS) vulnerability exists in Ritlabs TinyWeb 1.9. By sending a specially formed HTTP GET request, an attacker can crash the server.

 

<b><span style="font-family:Verdana;
color:purple">DEMONSTRATION</h3></b>
<b><span style="font-family:Verdana;
color:purple"> </h3></b>
<span style="font-family:
Verdana">The discoverer posted the following demonstration as proof of concept:</h3>

 

A remote user can issue an HTTP GET request for /cgi-bin/.%00./dddd.html and cause the server to consume large amounts of CPU time (88%-92%)

 

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.ritlabs.com/" style="color: blue; text-decoration: underline; text-underline: single">Ritlabs</a> has been notified.</h3>

 

CREDIT                                                                                                       

Discovered by Ziv Kamir.