Perlbal ClientProxy.pm denial of service
| perlbal-clientproxy-dos (41538) |  Low Risk |
Description:
Perlbal is vulnerable to a denial of service, caused by an error in ClientProxy.pm when buffer_uploads is enabled. By sending a zero-byte chunked upload, a remote attacker could crash the application.
Platforms Affected:
- Perlbal, Perlbal prior to 1.70
Remedy:
Upgrade to the latest version of Perlbal (1.70 or later), available from the Perlbal Web page. See References.
Consequences:
Denial of Service
References:
- Perlbal Changelog, 1.70: 2008-03-08, 1.70: 2008-03-08 at http://search.cpan.org/src/BRADFITZ/Perlbal-1.70/CHANGES.
- Perlbal Web page, Module Version: 1.70 at http://search.cpan.org/dist/Perlbal/lib/Perlbal.pm.
- Red Hat Bugzilla Bug 439054, CVE-2008-1532 Perlbal crashes upon empty buffered upload attempts at https://bugzilla.redhat.com/show_bug.cgi?id=439054.
- BID-28491: Perlbal Buffered Upload Remote Denial Of Service Vulnerability
- CVE-2008-1532: Perlbal before 1.70, when buffered upload is enabled, allows remote attackers to cause a denial of service (crash) via a zero-byte chunked upload.
- FrSIRT/ADV-2008-1045: Perlbal Denial of Service and Directory Traversal Vulnerabilities
- SA29565: Perlbal Chunked Uploads Denial of Service and Directory Traversal
Reported:
Mar 31, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net