Name:              VisNetic WebSite Denial of Service
Date:              12th of December 2002
Software affected: VisNetic WebSite 3.5.13.1
                   (prior versions are vulnerable)
Advisory:          http://www.krusesecurity.dk/advisories/vis0102.txt
Risk:              Medium


Legal Notice:

This Advisory is copyright by Peter Kruse. You may distribute
this unmodified.

Disclaimer:

The opinions expressed in this advisory are my own and not that
of any company. The usual standard disclaimer applies, especially
the fact that Peter Kruse or Kruse Security is not liable for 
any damages caused by direct or indirect use of the information 
or functionality provided by this advisory or program.

Vendor Description:

VisNetic Website, the first web server developed specifically for
Windows, can use almost any development platform, and includes
features that allow web developers to create powerful, flexible
web sites. VisNetic WebSite is a secure Windows-based web server
that supports multiple domains, and allows TLS/SSL secured
domains. This web server also includes support for a user
database that can restrict access to content, and is immune to
many of the security issues that may arise with other popular
web servers.

Problem:

During a trial installation of the Visnetic website package I
discovered a bug in the software that would crash the server on
handling special longsized URLs. The server is subject to a
Denial of Service attack. The weakness could allow a malicous
attacker to send an oversized packet to the server which will
effect a Denial of Service to the application.

Description:

The flaw can be exploited with the /OPTIONS. With a "OPTIONS
/AAAAAAA.HTML" approx. 5001 A's you can send data to the
webserver and crash the application. The server will crash with
an instruction (write) fault at 0x00417d54 pointing to
0x41414141 in the httpd32.exe application. This weakness has
been verified by testing against the latest website software from
Deerfield (v3.5.13.1).

It should be noted that an attack will still be caught in the log
file for inspection by a company attacked by this long URL.

Credit:

I would like to thank Deerfield for quick and very professional
handling of the reported issue. An update has been released and
can be downloaded from Deerfield's web site at:

http://www.deerfield.com/download/visnetic_website/

The update can also be downloaded from the Visnetic WebSite
administration console, support tab, check for updates (at the
bottom of the tab). 

Kind regards

Peter Kruse
Kruse Security
http://www.krusesecurity.dk