Vulnerabilities > CVE-2018-16789 - Infinite Loop vulnerability in Shellinabox Project Shellinabox
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Packetstorm
data source | https://packetstormsecurity.com/files/download/149978/shellinabox220-dos.txt |
id | PACKETSTORM:149978 |
last seen | 2018-10-27 |
published | 2018-10-27 |
reporter | Imre Rad |
source | https://packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.html |
title | Shell In A Box 2.2.0 Denial Of Service |
References
- http://packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.html
- http://packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.html
- http://seclists.org/fulldisclosure/2018/Oct/50
- http://seclists.org/fulldisclosure/2018/Oct/50
- https://code.google.com/archive/p/shellinabox/issues
- https://code.google.com/archive/p/shellinabox/issues
- https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361
- https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361