appweb contains a flaw that may allow a remote denial of service. The issue is triggered when using format strings (%s %d %d ...) directly into the URL requested, and will result in loss of availability for the appweb server.
Classification
Location:
Remote / Network Access,
Local / Remote,
Context Dependent
Attack Type:
Denial of Service,
Input Manipulation
Impact:
Loss of Integrity,
Loss of Availability
Exploit:
Exploit Public
Disclosure:
OSVDB Verified,
Vendor Verified
Technical
This vulnerability is a format string bug in the code related to access logging.
It will not be present if webserver is compiled without log support. (--disable-log option to configure)
Solution
Upgrade to version 2.2.2 or higher, as it has been reported to fix this vulnerability.
Setting an "ErrorLog" directive in appweb.conf has also been reported as a possible workaround
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
