CVE
- Id
- 221
- CVE No.
- CVE-1999-0222
- Status
- Candidate
- Description
- Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.
- Phase
- Proposed (19990714)
- Votes
- ACCEPT(1) Baker | MODIFY(3) Frech, Levy, Shostack | NOOP(3) Balinsky, Northcutt, Wall | RECAST(1) Ziese | REJECT(1) Christey
- Comments
- Shostack> I follow cisco announcements and problems pretty closely, and haven"t | seen this. Source? | Frech> XF:cisco-web-crash | Christey> XF:cisco-web-crash has no additional references. I can"t find | any references in Bugtraq or Cisco either. This bug is | supposedly tested by at least one security product, but that | product"s database doesn"t have any references either. So | a question becomes, how did it make it into at least two | security companies" databases? | Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159 | BID 1154 | Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if | recast to reflect that "...after using a long url..." should be replaced | with | "...A defect in multiple releases of Cisco IOS software will cause a Cisco | router or switch to halt and reload if the IOS HTTP service is enabled, | browsing to "http://router-ip/anytext?/" is attempted, and the enable | password is supplied when requested. This defect can be exploited to produce | a denial of service (DoS) attack." | Then I can accept this and mark it as "Verfied by my Company". If it can"t | be recast because this (long uri) is diffferent then our release (special | url construction). | CHANGE> [Christey changed vote from REVIEWING to REJECT] | Christey> Elias Levy"s suggested reference is CVE-2000-0380. | I don"t think that Kevin"s description is really addressing | this either. The lack of references and a specific | description make this candidate unusable, so it should be | rejected.
