COMMAND

    vWebServer

SYSTEMS AFFECTED

    vWebServer

PROBLEM

    Extirpater found following.

    1- ASP file source disclosing:
    ==============================
    Adding a  unicoded space  character at  the end  of requested URL,
    vWebServer  shows  the  ASP  file  instead  of  executing  it.  An
    example request looks this

        http://www.TargetHost.com/anything.asp%20

    2- DOS device filename vulnerability:
    =====================================
    Under Windows 9x, using any DOS device names (aux, con, prn,  ...)
    as a filename  or directory crashes  Windows.  vWebServer  doesn't
    filter those requests.

    Below example  crashes both  web server  and Windows  with a  blue
    screen of death.  Example:

        http://www.TargetHost.com/aux/aux

    3- Very long URL vulnerability:
    ===============================
    Requesting a very long URL (tested 8192 bytes long) will  resulted
    in Error  #5, File  error.   After requesting  2-3 times  the same
    URL, web server will no longer response anything.  Restart needed.
    Example:

        http://www.TargetHost.com/AAAAAAAAA...(Ax8192)...AAA

   Credit goes to Melih SARICA and Bilgiteks IT.

SOLUTION

    Informed and confirmed.