From peter.grundl@DEFCOM.COM Tue Jan 23 00:10:58 2001 From: "Peter [iso-8859-1] Gründl" X-Sender: prg@astral.defcom.com To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 22 Jan 2001 13:30:33 +0100 Subject: [BUGTRAQ] def-2001-05: Netscape Fasttrack Server Caching DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-05 Netscape Fasttrack Server Caching DoS Author: Peter Gründl Release Date: 2001-01-22 ====================================================================== ------------------------=[Brief Description]=------------------------- The Fasttrack 4.1 server has problems with its caching module. The problem can result in all the server memory being consumed and thus causing the server to perform very sluggishly. ------------------------=[Affected Systems]=-------------------------- - Netscape Fasttrack Server 4.1 for Windows NT 4.0 ----------------------=[Detailed Description]=------------------------ The Fasttrack 4.1 server caches requests for non-existing URLs with valid extensions (eg. .html). The cached ressources are not freed again (at least not after half an hour), so a malicious user could cause the web server to perform very sluggishly, simply by requesting a lot of non-existing html-documents on the web server. ---------------------------=[Workaround]=----------------------------- None known. -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 7th of December, 2000. Vendor replied that the Fasttrack server is not meant for production environments and as that, the issue will not be fixed. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================