Xerver HTTP Server 4.32 - Remote Denial of Service

EDB-ID:

9717


Author:

Dr_IDE

Type:

dos


Platform:

Windows

Date:

2009-09-18


#################################################################################
#                                                                   	     	#
# Xerver HTTP Server <= v4.32 Remote Denial of Service	 		        #
# Found By:	Dr_IDE				                                #
# Download:	http://www.javascript.nu/xerver                          	#
# Tested On:	Windows XPSP3                                            	#
#                                                                        	#
#################################################################################

- Description -

Xerver v4.32 is a Windows based HTTP server. This is the latest version of
the application available.

Xerver v4.32 is vulnerable to a remote denial of service through following means.

Xerver ships with a web based configuration program, essentially making this DoS
remote if and when the Remote Setup is running.

The admin package runs on port 32123 and does not require any form of 
authentication to make changes to the server configuration.

- Bug -

If the HTTP Server port is set to any kind of letter combination, the server will
crash and be unable to be restarted unless the configuration file is manually
edited to remove the letters and put back to a number (ie. 80).

- Example -

1. http://172.16.2.101:32123/?action=wizardStep1
2. Enter anything in the port field, "Dr_IDE"
3. Click Save and Continue

- Results - 

The server will crash hard, and you will be unable to restart it. You must edit the 
configuration file, Xerver2.cfg and replace the first line of the file with a Port
number.

- Note - 

I tried to make this a possible XSS attack but I couldn't manage. Perhaps someone 
else can figure it out.

Methods and variables of interest for this attack:

SubmitForm()
document.myForm.portNR.value="80" # default, any letters here would kill the server

# milw0rm.com [2009-09-18]