Vulnerabilities > CVE-2008-3688 - Use of Uninitialized Resource vulnerability in Havp Http Antivirus Proxy 0.88
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
sockethandler.cpp in HTTP Antivirus Proxy (HAVP) 0.88 allows remote attackers to cause a denial of service (hang) by connecting to a non-responsive server, which triggers an infinite loop due to an uninitialized variable.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family | Gentoo Local Security Checks |
NASL id | GENTOO_GLSA-200809-11.NASL |
description | The remote host is affected by the vulnerability described in GLSA-200809-11 (HAVP: Denial of Service) Peter Warasin reported an infinite loop in sockethandler.cpp when connecting to a non-responsive HTTP server. Impact : A remote attacker could send requests to unavailable servers, resulting in a Denial of Service. Workaround : There is no known workaround at this time. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 34251 |
published | 2008-09-22 |
reporter | This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/34251 |
title | GLSA-200809-11 : HAVP: Denial of Service |
code |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 30697 CVE(CAN) ID: CVE-2008-3688 HAVP(HTTP Antivirus Proxy)是ClamAV杀毒扫描器的代理。 HAVP的sockethandler.cpp文件没有正确地处理客户端请求,如果客户端通过squid三明治模式的HAVP连接到没有响应的服务器的话,HAVP就会一直读取没有响应的服务器直到RECVTIMEOUT,通常为2分钟。之后HAVP会重新尝试一个循环,而由于未初始化的变量,这个循环为死循环。 仅在使用父代理且父代理为不需解析的数字IP地址时才会出现这个漏洞。 Christian Hilgers HAVP 0.88 Christian Hilgers ----------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.server-side.de/download/havp-0.89.tar.gz target=_blank>http://www.server-side.de/download/havp-0.89.tar.gz</a> |
id | SSV:3872 |
last seen | 2017-11-19 |
modified | 2008-08-19 |
published | 2008-08-19 |
reporter | Root |
title | HAVP sockethandler.cpp客户端连接拒绝服务漏洞 |
References
- http://secunia.com/advisories/31494
- http://secunia.com/advisories/31494
- http://secunia.com/advisories/31971
- http://secunia.com/advisories/31971
- http://www.gentoo.org/security/en/glsa/glsa-200809-11.xml
- http://www.gentoo.org/security/en/glsa/glsa-200809-11.xml
- http://www.securityfocus.com/bid/30697
- http://www.securityfocus.com/bid/30697
- http://www.securitytracker.com/id?1020900
- http://www.securitytracker.com/id?1020900
- http://www.server-side.de/index.htm
- http://www.server-side.de/index.htm
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44467
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44467
- https://sourceforge.net/mailarchive/message.php?msg_name=487CDF51.5060201%40endian.com
- https://sourceforge.net/mailarchive/message.php?msg_name=487CDF51.5060201%40endian.com