Fizmez Web Server Null Connection Denial Of Service Vulnerability
BID:9894
Info
Fizmez Web Server Null Connection Denial Of Service Vulnerability
| Bugtraq ID: | 9894 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 16 2004 12:00AM |
| Updated: | Mar 16 2004 12:00AM |
| Credit: | Discovery of this vulnerability has been credited to "Donato Ferrante" <[email protected]>. |
| Vulnerable: |
Fizmez Web Server 1.0 |
| Not Vulnerable: |
Fizmez Web Server 1.1 |
Discussion
Fizmez Web Server Null Connection Denial Of Service Vulnerability
Fizmez Web Server has been reported prone to denial of service vulnerability.
It has been reported that if the server handles a connection and then that connection drops without sending any data to the affected server, then the server will crash while attempting to reference a null pointer.
Fizmez Web Server has been reported prone to denial of service vulnerability.
It has been reported that if the server handles a connection and then that connection drops without sending any data to the affected server, then the server will crash while attempting to reference a null pointer.
Exploit / POC
Fizmez Web Server Null Connection Denial Of Service Vulnerability
An attacker may exploit this condition using a telnet client.
An attacker may exploit this condition using a telnet client.
Solution / Fix
Fizmez Web Server Null Connection Denial Of Service Vulnerability
Solution:
The following is an untested, unconfirmed patch provided by a third party. It may be used to patch version 1.0 of the software:
( line: 268 of FizmezWebServer.java )
eh.debug("Received input ["+line+"]");
//Hash out request information
/* start of patch */
int firstSpaceIndex = 0;
try
{
firstSpaceIndex = line.indexOf(" ");
}
catch(NullPointerException npe)
{
System.out.println("Void Connection Dropped...");
break;
}
/* end of patch */
The vendor has released an update to address this issue:
Fizmez Web Server 1.0
Solution:
The following is an untested, unconfirmed patch provided by a third party. It may be used to patch version 1.0 of the software:
( line: 268 of FizmezWebServer.java )
eh.debug("Received input ["+line+"]");
//Hash out request information
/* start of patch */
int firstSpaceIndex = 0;
try
{
firstSpaceIndex = line.indexOf(" ");
}
catch(NullPointerException npe)
{
System.out.println("Void Connection Dropped...");
break;
}
/* end of patch */
The vendor has released an update to address this issue:
Fizmez Web Server 1.0
-
Fizmez fws-1.1.tar.gz
http://fizmez.com/downloads/fws-1.1.tar.gz
References
Fizmez Web Server Null Connection Denial Of Service Vulnerability
References:
References:
- Fizmez Web Server Homepage (Fizmez)