> Is it possible to also crash a Web server hosted on a Windows box using > a URL something like: > > http://www.somebody.com/aux
A few servers have been affected by this over the years, including: "T. Hauck Jana Webserver" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0558 "BEA Systems Weblogic Server 6.1" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0106 "Cyberstop Web Server for Windows 0.1" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0200 "Jigsaw 2.2.1 on Windows" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1052 "Small HTTP server 2.03" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0493 Problems with device names such as AUX and others appear fairly frequently. The impact is not always a crash, e.g. you can have source code disclosure, and I saw one issue where a device name played a role in a directory traversal bug. These issues probably also affect CGI programs. FTP servers have also been affected. Basically, anything that handles pathnames in a Windows environment is a potential issue. If I recall correctly, Howard and LeBlanc's "Writing Secure Code" book discusses this problem. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
