iDEFENSE Security Advisory 11.04.02b: http://www.idefense.com/advisory/11.04.02b.txt Denial of Service Vulnerability in Xeneo Web Server November 4, 2002 I. BACKGROUND Northern Solutions' Xeneo Web Server is a "fast, compact web server that makes it easy to set up and administer a web site on the Windows platform." More information about the application is available at http://www.northernsolutions.com/index.php?view=product&id=1. II. DESCRIPTION Due to the improper handling of a specially crafted web request, remote attackers may launch a denial of service attack against the PHP version of Xeneo. The condition is triggered when the web server receives a request for '%'. Upon successful exploitation, the web server will crash with a Microsoft Visual C++ runtime error message. The following is an example attack URL: http://target.server/% III. ANALYSIS Any remote user with access to the application can launch this attack, thereby denying legitimate users access to the server and the contents and/or additional services provided. IV. DETECTION Xeneo 2.1.0.0 (PHP version) and 2.0.759.6 are vulnerable. V. WORKAROUND Use a filtering web proxy server to help mitigate against exploitation. VI. VENDOR FIX Xeneo 2.1.5 and later should fix the problem. The latest release is version 2.1.6.0, and it can be downloaded at http://www.northernsolutions.com/downloads/xeneo_php_setup.exe. VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1248 to this issue. VIII. DISCLOSURE TIMELINE 10/06/2002 Issue disclosed to iDEFENSE 10/31/2002 Author notified 10/31/2002 iDEFENSE clients notified 10/31/2002 Response received from Robert Shanahan (rshan@northernsolutions.com) 11/04/2002 Public disclosure IX. CREDIT Tamer Sahin (ts@securityoffice.net) discovered this vulnerability.