Info

Disclosure

Apr 29, 2007

Discovery

Aug 06, 2006

Dates

Exploit

Unknown

Solution

Unknown

Description

appweb contains a flaw that may allow a remote denial of service. The issue is triggered when using format strings (%s %d %d ...) directly into the URL requested, and will result in loss of availability for the appweb server.

Classification

Location: Remote / Network Access, Local / Remote, Context Dependent
Attack Type: Denial of Service, Input Manipulation
Impact: Loss of Integrity, Loss of Availability
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 2.2.2 or higher, as it has been reported to fix this vulnerability. Setting an "ErrorLog" directive in appweb.conf has also been reported as a possible workaround

Products

Mbedthis Software, LLC.

AppWeb

2.0.5-4

References

CVE ID: 2007-3009 (see also: NVD)
Bugtraq ID: 24454
Secunia Advisory ID: 25641
VUPEN Advisory: ADV-2007-2159
Vendor Specific News/Changelog Entry: http://www.appwebserver.org/forum/viewtopic.php?t=969

Credit

rachmel -

Direct URL: http://osvdb.org/35510