| VID |
21210 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The MediaHouse Statistics Server is vulnerable a buffer overflow attack.
MediaHouse Statistics Server (now DeepMetrix Corp. Livestats) is a Web tool that provides live statistics of a user's Web server and historical data. The web interface for Statistics Server contains an unchecked buffer which accepts input from the "Server ID" field of the login webpage. While the login webpage has a 16 character restriction, this is easily circumventible by editing the HTML to remove the restriction. Entering a string of more than 3773 characters will crash the server. This bug could potentially be used to remotely execute arbitrary code.
Note: The server must be restarted to regain normal functionality.
Platforms Affected:
MediaHouse Software Statistics Server 4.28
MediaHouse Software Statistics Server 5.01
* References:
http://online.securityfocus.com/bid/734
http://www.iss.net/security_center/static/3286.php |
| Recommendation |
Apply the patch for Statistics Server 4.28 & 5.01, available from:
http://www.mediahouse.com/statisticsserver/download_trial/dist/ss50.exe
-- OR --
Upgrade to the latest version of Statistics Server (5.0.2 or later), available from:
http://www.mediahouse.com/statisticsserver/support/502-from_50.shtml |
| Related URL |
CVE-1999-0931 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
