[原文]Aprelium Technologies Abyss Web Server 1.1.2, and possibly other versions before 1.1.4, allows remote attackers to cause a denial of service (crash) via an HTTP GET message with empty (1) Connection or (2) Range fields.
source: http://www.securityfocus.com/bid/7287/info
A denial of service vulnerability has been reported for Abyss Web Server. The vulnerability exists when Abyss attempts to parse certain incomplete HTTP headers.
GET / HTTP/1.0
Connection:
GET / HTTP/1.0
Range:
Abyss Web Server contains a flaw that may allow a remote denial of service. The issue is triggered when handling incomplete GET headers. With a malformed GET request containing an empty 'Connection:' and 'Range:' field, a remote attacker can cause the server to crash resulting in a loss of availability.
-
时间线
2003-04-05
Unknow
2003-04-05
Unknow
-
解决方案
Upgrade to version 1.1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.