Security vulnerabilities in Small HTTP Server (DoS)
15 Nov. 2000
Summary
Small HTTP Server is a very small program (less than 30kb) that turns your computer into a full-service Web-server. This program suffers from several remotely exploitable Denial of Service security holes.
Credit:
The information has been provided by Kotarac Ante.
1) Non-existing directories resource depletion:
By default if a user sends requests without specifying a file name (http://www.example.com/subdirectory/), the HTTP server will look for index.html in that folder, and if it doesn't exist it will fill the memory with 68K. The directory doesn't need to exist either, so anyone can write a small program that sends lot requests to exhaust the server's memory (5000 requests will fill up 300Mb of memory).
2) SSI DoS:
Small HTTP Server supports ServerSidesIncludes. When the server finds an SSI Tag that looks like this <!--#tag_name= <*EMPTY> --> it will crash. #tag_name can be any of supported (#fsize, #include, #printenv...). In order to execute SSI tags the files must have the *.shtm or *.shtml extension.
3) Premature closing:
The HTTP Server will crash if an attacker sends out a few GET, HEAD or POST requests and closes connection before the server has answered.
