Denial-of-Service Vulnerability in Apple's WebObjects 4.5 Developer

vendor:

WebObjects 4.5 Developer

by:

SecurityFocus

7.5

CVSS

HIGH

Denial-of-Service

N/A

CWE

Product Name: WebObjects 4.5 Developer

Affected Version From: Windows NT 4.0 SP5

Affected Version To: Windows NT 4.0 SP5

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

Denial-of-Service Vulnerability in Apple’s WebObjects 4.5 Developer

An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects.exe. This may also permit the attacker to remotely execute code with the privilege of IIS, but this has not been verified.

Mitigation:

This vulnerability is reportedly present only in installations running under a development license. Those licensed for deployment are not affected.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1896/info

A denial-of-service vulnerability exists in Apple's WebObjects 4.5 Developer, a popular platform for developing web-based applications. The vulnerable version is Windows NT 4.0 SP5, when run in conjunction with the CGI-adapter and IIS 4.0.

An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects.exe. This may also permit the attacker to remotely execute code with the privilege of IIS, but this has not been verified. 

This vulnerability is reportedly present only in installations running under a development license. Those licensed for deployment are not affected.

POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0 
Accept: AAAAAAAAA.... (about 4.1K worth of A's) 
Content-Length: 16 
uselessdata=dork