Name: VisNetic WebSite Denial of Service Date: 12th of December 2002 Software affected: VisNetic WebSite 3.5.13.1 (prior versions are vulnerable) Advisory: http://www.krusesecurity.dk/advisories/vis0102.txt Risk: Medium Legal Notice: This Advisory is copyright by Peter Kruse. You may distribute this unmodified. Disclaimer: The opinions expressed in this advisory are my own and not that of any company. The usual standard disclaimer applies, especially the fact that Peter Kruse or Kruse Security is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Vendor Description: VisNetic Website, the first web server developed specifically for Windows, can use almost any development platform, and includes features that allow web developers to create powerful, flexible web sites. VisNetic WebSite is a secure Windows-based web server that supports multiple domains, and allows TLS/SSL secured domains. This web server also includes support for a user database that can restrict access to content, and is immune to many of the security issues that may arise with other popular web servers. Problem: During a trial installation of the Visnetic website package I discovered a bug in the software that would crash the server on handling special longsized URLs. The server is subject to a Denial of Service attack. The weakness could allow a malicous attacker to send an oversized packet to the server which will effect a Denial of Service to the application. Description: The flaw can be exploited with the /OPTIONS. With a "OPTIONS /AAAAAAA.HTML" approx. 5001 A's you can send data to the webserver and crash the application. The server will crash with an instruction (write) fault at 0x00417d54 pointing to 0x41414141 in the httpd32.exe application. This weakness has been verified by testing against the latest website software from Deerfield (v3.5.13.1). It should be noted that an attack will still be caught in the log file for inspection by a company attacked by this long URL. Credit: I would like to thank Deerfield for quick and very professional handling of the reported issue. An update has been released and can be downloaded from Deerfield's web site at: http://www.deerfield.com/download/visnetic_website/ The update can also be downloaded from the Visnetic WebSite administration console, support tab, check for updates (at the bottom of the tab). Kind regards Peter Kruse Kruse Security http://www.krusesecurity.dk