COMMAND

    Xitami

SYSTEMS AFFECTED

    Xitami 2.4d7, 2.5d4

PROBLEM

    nemesystm of the DHC found following.  Xitami is a webserver.   It
    has a  denial of  service.   Vulnerable is  anyone running  Xitami
    2.5d4, 2.4d7  and presumably  earlier on  a Windows  98/Millennium
    operating system.

    To test this vulnerability, try the following; send a request like
    this one:

        www.server.com/aux

    some computers crash after this request.  Others seem to  continue
    working, but  when trying  to browse  the website  or logging into
    the FTP server  it fails.   Sometimes a refresh  of the main  page
    even works, but no other links  work.  Trying to close the  server
    by hitting the terminate button fails as well, meaning you'll have
    to Ctrl+Alt+Del it.

    Because some computers do not  crash completely or give any  error
    messages this is  dangerous as things  seem to be  normal at first
    glance.

SOLUTION

    Xitami tries to do the Right Thing (tm) in handling the  "magical"
    device  filenames;  under  Win32  (95/98/ME/NT/2000), the function
    system_devicename() in sflfile.c  checks each path  component with
    QueryDosDevice(), and  rejects paths  containing a  component that
    is reported as  a device.   On other MS-DOS  like platforms Xitami
    compares (case  insensitively) against  a list  of "known problem"
    filenames (aux, con, nul,  prn, com[0-9], lpt[0-9]); this  code is
    used for plain DOS, and OS/2, but not for Win32.

    For some  reason this  test seems  to be  not detecting  AUX as  a
    device file under Win32;  Xitami are still investigating  why, and
    if  the  issue  is  confined  to  AUX or affects some other device
    names.   However most  of the  problem device  names appear  to be
    caught by this QueryDosDevice() test.

    Once Xitami finished  determining the extent  of the device  files
    that  aren't  being  caught  by  the  existing tests, they plan to
    release a  minor update  to both  Xitami 2.4  (release code),  and
    Xitami 2.5  (beta test  code) with  a work  around for this issue,
    possibly including a hard coded check for AUX that is always done,
    in addition to the  Win32 QueryDosDevice() where available.   This
    update will  be announced  on the  Xitami user  mailing list,  and
    announcement list when it is available.

    Meanwhile some Xitami users have reported that defining an  Xitami
    alias for "AUX" that points  at some non-existant file avoids  the
    issue reported (as  the alias expansion  is done before  any files
    are opened); we would suggest those looking for an immediate  work
    around consider this.