COMMAND

    Website Pro

SYSTEMS AFFECTED

    Website Pro 3.0.37

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-15 by  Peter
    Grundl.  The  remote manager service  contains a flaw  that allows
    an attacker to cause the service to crash.

    The remote manager service (default on port 9999) will leak memory
    if non-authenticated  requests are  repeatedly made  to the  /dyn/
    directory and will eventually get killed by the OS, eg:

        GET /dyn/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.0
        host: 10.0.0.1

SOLUTION

    Disallow  access  to  the  remote  manager  service from untrusted
    networks.   The service  is on  TCP port  9999 by  default.   This
    issue  was  brought  to  the  vendor's  attention  on  the 21st of
    February,  2001  and  although  the  vendor  has  been   contacted
    repeatedly no workaround or fix has been received to this date.