Security Advisory B003

Security Advisory B003 - Fastream NETFile FTP/Web Server HEAD Request Processing Lets Remote User Deny Service
=================

Release Date: Nov 15 2004

Impact: A remote user can make the Fastream Web Server deny serivce to other users

Vendor URL: http://www.fastream.com/

Vulnerable Versions: Tested on Fastream NETFile FTP/Web Server 7.1.2 Professional - Previous versions probably vulnerable as well (not tested).

Description:
Fastream NETfile FTP/Web Server improperly handles the timeout on "keepalive" connections after making a HEAD request to the web server. When a remote user sends a HEAD request, the web server doesn't close the connection with the client. This makes it possible for a remote user to use all the available connections and thus make the software deny service to other users.

Solution/Status:
Vendor has been contacted and has released a fixed version (7.1.3).