发布时间 :2004-04-27 00:00:00
修订时间 :2017-07-10 21:31:30

[原文]DiGi Web Server allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request that contains a large number of / (slash) characters, which consumes resources when DiGi converts the slashes to \ (backslash) characters.

[CNNVD]DiGi WWW远程服务拒绝漏洞(CNNVD-200404-097)

        DiGi Web服务器存在漏洞。远程攻击者可以通过含有大量/(斜线)字符的HTTP GET请求导致服务拒绝(CPU消耗),当DiGi将斜杠转换成\(反斜杠)时该漏洞消耗资源。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:digi:www_server:compieuw:beta1DiGi DiGi WWW Server Compieuw.1
cpe:/a:digi:www_server:compieuwDiGi DiGi WWW Server Compieuw
cpe:/a:digi:www_server:compieuw:beta2DiGi DiGi WWW Server Compieuw beta 2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040427 resources consumption in DiGi WWW Server
(UNKNOWN)  XF  digi-www-slash-dos(15987)

- 漏洞信息

DiGi WWW远程服务拒绝漏洞
中危 输入验证
2004-04-27 00:00:00 2005-10-20 00:00:00
        DiGi Web服务器存在漏洞。远程攻击者可以通过含有大量/(斜线)字符的HTTP GET请求导致服务拒绝(CPU消耗),当DiGi将斜杠转换成\(反斜杠)时该漏洞消耗资源。

- 公告与补丁

        Apparently, the 'Compieuw.2' version of DiGi WWW Server is not affected by this vulnerability.
        DiGi WWW Server Web Server Compieuw
        DiGi WWW Server Web Server Compieuw beta 2
        DiGi WWW Server Web Server Compieuw.1

- 漏洞信息 (24066)

DiGi WWW Server 1 Remote Denial Of Service Vulnerability (EDBID:24066)
multiple dos
2004-04-27 Verified
0 Donato Ferrante
N/A [点击下载]

The DiGi WWW Server has been reported to contain a remote denial of service vulnerability. It has been reported that when the server receives a malformed HTTP GET request, the web server process will consume large amounts of CPU resources.

Since this is a web server application, this leads to a remotely exploitable denial of service vulnerability.

GET ///[660Kb of /]/// HTTP/1.1

to a vulnerable server would demonstrate the effect.		

- 漏洞信息

DiGi Web Server GET Request Handling Remote DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

DiGi Web Server contains a flaw that may allow a remote denial of service. The issue is triggered when very long HTTP GET request occurs, and will result in loss of availability for the service. The server contains a routine that will convert a slash to a backslash. When presented with many thousands of slashes in the GET request the server will consume large amounts of CPU power.

- 时间线

2004-04-27 Unknow
2004-04-27 Unknow

- 解决方案

Upgrade to version Compieuw.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者