When IIS receives a CGI filename request, it automatically performs two actions before completing the request: IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
An attacker can execute a denial of service attack on ElectroComm by submitting two groups of approximately 160,000 characters to the target's telnet port. This increases CPU utilization to 100%, then crashes the service, which requires a restart.
A1Stats is a CGI product by Drummon Miles used to report on a website's visitor traffic. Versions of this product fail to properly validate user-supplied input submitted as querystrings to the A1Stats script. An attacker can compose a long path including '/../' sequences, and submit it as a file request to the product's built-in webserver. 'dot dot' sequences will not be filtered from the path, permitting the attacker to specify files outside the directory tree normally available to users. This can permit disclosure of confidential data and sensitive system files which, if properly exploited, could lead to further compromises of the host's security. Additionally, by appending a properly formatted echo command argumented by a filename writable by the webserver, this flaw allows the attacker to overwrite this file with A1Stats' output.
It is possible to remotely crash a system running Jana Server by submitting a URL request which specifies an MS-DOS devicename. A hard reboot of the exploited server will be required to restore web services.
It is possible for a remote user to traverse the directories of a host running Jana Server. Submitting a specially crafted URL using hex encoded 'double dot' sequences will reveal arbitrary directories. In addition to revealing directories, this vulnerability could enable a user to obtain the contents of files readable by the webserver user.
A problem in the package could allow remote users to crash the chat server. Upon receiving 100 connection requests from a host within a short period of time, and then receiving a message from same host via the chat client, the chat server exits abnormally. A manual restart is required to resume service.
It is possible for a remote user to cause a denial of service on a host running DSL_Vdns. Submitting data to port 6070 and closing the connection before the request is fulfilled, will cause DSL_Vdns to enter a 'Default.Closed' state; therefore, refusing any new connections.
A vulnerability exists in Jason Rahaim's MP3Mystic Server which allows a remote user to traverse the directories of a target host. This may lead to the disclosure of file and directory contents. Arbitrary directories can be accessed through the inclusion of double dot '../' sequences when submitting a URL.