Title: Abyss Web Server HTTP Header Injection Vulnerability
Severity: MODERATE
Description:
Abyss Web Server is a freely available personal web server. It is maintained by Aprelium Technologies and runs on Microsoft Windows operating systems, as well as Linux.
Abyss Web Server is prone to a vulnerability that could permit attackers to inject malicious data into server response headers. HTTP GET requests ending with ':\' characters will cause the server to return a HTTP 302 response to the client, which includes the requested URI in the Location: header field of the server response. User input is not sufficiently sanitized from this header field in the response. An attacker could cause malicious data such as HTML and script code to be included in the server response. It will also be possible be append additional HTTP header fields to the server response.
This could be exploited to launch cross-site scripting attacks. The attacker can also append arbitrary HTTP header information to the server response, which could permit cookie values to be set or spoofed header field data.
This issue is reported to affect Abyss Web Server 1.1.2. Later versions, such as 1.1.4 and 1.1.5 may be similarly affected, though this has not been confirmed.
Affected Products:
- Aprelium Technologies Abyss Web Server 1.1.2
References:
- Aprelium Technologies: Abyss Web Server Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
