[原文]Jigsaw 2.2.1 on Windows systems allows remote attackers to use MS-DOS device names in HTTP requests to (1) cause a denial of service using the "con" device, or (2) obtain the physical path of the server using two requests to the "aux" device.
Jigsaw is an HTTP server produced by W3C. It is implemented in Java, and will run on a wide range of systems, including Microsoft Windows, Linux and other Unix based systems.
A vulnerability has been reported in some versions of Jigsaw running under Microsoft Windows. Certain HTTP requests for DOS device files may result in process threads hanging. As there is no timeout, each request permanently reduces the number of available server threads.
In particular, a request for '/servlet/con' has been reported to cause this behavior.
No exploit code is required.
This issue is fixed in development versions of Jigsaw dated later than July 11, 2002.For W3C Jigsaw 2.2.1: