Info

Disclosure

Nov 30, 2004

Discovery

Unknown

Dates

Exploit

Nov 30, 2004

Solution

Unknown

Description

JanaServer2 contains a flaw that may allow a remote denial of service. The issue is due to an error in "pna-proxy" module when handling real player requests. By specifing a data block size bigger than the data really sent in a real player request, a remote attack can cause a endless loop and crash the server, resulting in a loss of availability.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service, Input Manipulation
Impact: Loss of Confidentiality, Loss of Availability
Exploit: Exploit Public

Solution

Upgrade to version 2.4.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Thomas Hauck

JanaServer2

2.4.4

References

Security Tracker: 1012365
Related OSVDB ID: 12172
Secunia Advisory ID: 13333
Milw0rm: 667
Exploit Database: 667
Other Advisory URL: http://aluigi.altervista.org/adv/janados-adv.txt
Generic Exploit URL: http://aluigi.altervista.org/poc/janados.zip
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0395.html

Credit

Luigi Auriemma - aluigiautistici.org - http://aluigi.altervista.org

Direct URL: http://osvdb.org/12173