>> Anyone can remotely crash Xitami webserver by sending simple GET
>> command. On remote side will be:
>>
>> Assertion Failed!
>> Module: D:\Imatix\Develop\Smt\Smthttpl.c , line 745
>>
>> All you need to do is just telnet to remote computer and execute
>> GET<space><enter><enter> command. Also Xitami will crash if you'll execute
>> POST<space><enter><enter> or HEAD<space><enter><enter> command.
>>
>>
>> There is another DoS in Xitami. By default installation Xitami
>> allows anonymous users on ftp. So connect to remote computer as
>> anonymous user and execute cd con/con command.
>> -----------------------------
>>
>> romanv_at_citycat.ru
M> Tried to bring it down from a remote account which failed, got std http
M> error msg back.
M> Version Xitami 2.4d1 on Winx, set up for this one on http 8080, without
M> authorisation or ipmasks.
To crash Xitami you need to telnet to http port and type GET<leave space here>
then press Enter twice(i.e. "GET \n\n").
M> Are you sure it ain't because you used a beta version?
M> Or did you test some previous versions as well?
Yes I have tested this vulnerability on Xitami v2.5b1 and on previous one.
Xitami v2.5b1 the latest version I've found.
M> Is it in the console or the std. version?
M> Did you compile it yourself or did you get a precompiled version?
I got precompiled version from xitami website.
-----------------------------
romanv_at_citycat.ru
Received on Apr 04 2000
Intro
