mailing list archives
Denial of Service vulnerability in VisNetic Website
From: "Peter Kruse" <kruse () krusesecurity dk>
Date: Wed, 11 Dec 2002 23:35:00 +0100
Name: VisNetic WebSite Denial of Service
Date: 12th of December 2002
Software affected: VisNetic WebSite 220.127.116.11
(prior versions are vulnerable)
This Advisory is copyright by Peter Kruse.
You may distribute this unmodified.
The opinions expressed in this advisory are my own and not that of any
The usual standard disclaimer applies, especially the fact that Peter
or Kruse Security is not liable for any damages caused by direct or
use of the information or functionality provided by this advisory or
VisNetic Website, the first web server developed specifically for
can use almost any development platform, and includes features that
developers to create powerful, flexible web sites. VisNetic WebSite is a
Windows-based web server that supports multiple domains, and allows
secured domains. This web server also includes support for a user
can restrict access to content, and is immune to many of the security
that may arise with other popular web servers.
During a trial installation of the Visnetic website package I discovered
in the software that would crash the server on handling special
The server is subject to a Denial of Service attack. The weakness could
a malicous attacker to send an oversized packet to the server which will
a Denial of Service to the application.
The flaw can be exploited with the /OPTIONS.
With a "OPTIONS /AAAAAAA.HTML" approx. 5001 A's you can send data to the
and crash the application. The server will crash with an instruction
at 0x00417d54 pointing to 0x41414141 in the httpd32.exe application.
has been verified by testing against the latest website software from
It should be noted that an attack will still be caught in the log file
inspection by a company attacked by this long URL.
Update your VisNetic Website to version 3.5.15.
I would like to thank Deerfield for quick and very professional handling
reported issue. An update has been released and can be downloaded from
web site at:
The update can also be downloaded from the Visnetic WebSite
support tab, check for updates (at the bottom of the tab).
Full-Disclosure - We believe in it.
- Denial of Service vulnerability in VisNetic Website Peter Kruse (Dec 11)