A vulnerability has been identified in Spinworks application server that allow a remote user to succesfully crash the server by supplying a '.' in the sid parameter.
910f03dfbc884bf97c6b6788b7c2a7b7d5ff6e6b9d751e648b24eff160c82744
Spinworks Application Server v.3.0 Security advisory
Release date:
11-3-2004
Risk:
Medium
Description:
The Spinworks Application Server allows Python developers to easily create and deploy complex web
applications such as information management sites, online stores, and intranets. Spinworks comes
with batteries included: Embedded Text Search, SQL Database, Email Client, and Bank Transactions Client.
Spinworks runs on practically all operating systems, including Windows, FreeBSD, OpenBSD, or Linux, is
freely available as an Open Source product, and is written in C++.
Details:
(1) A vulnerability has been identified in Spinworks application server that allow a remote user
to succesfully crash the server by supplying a '.' in the sid parametre.
Example:
http://[host]:5002/?sid=.
The above url will succesfully crash the server.
(2) Spinworks application server comes with a number of sample scripts. The first problem is located in
http://[server]:5002/Examples/cart/addcart.html?id=something. The parametre id does not validate the
values it can accept. So it is possible for a user to add fake products. The same problem exists in:
http://[server]:5002/Examples/instabuy/instabuy.html?id=something
credits:
-------
Vulnerability found by: Dr_insane (dr_insane@pathfinder.gr)
Advisory by : Dr_insane