Buffer Overflow in Website Pro

Impact

A buffer overflow condition in Website Pro could allow a remote attacker to execute arbitrary commands on the server.

Background

O'Reilly's Website Professional is a full-featured web server for Windows platforms.

The Problem

There are two separate buffer overflow conditions in Website Pro which could allow a remote attacker to execute arbitrary commands on the server. The first one can be exploited in a number of ways, such as a long GET request or a long Referrer header. The second one can be exploited by supplying a very long search string to webfind.exe. Both conditions affect Website Pro 2.4 for Windows NT.

Resolutions

Upgrade to Website Pro version 2.5 or higher.

Where can I read more about this?

The first buffer overflow was posted to Bugtraq. The second was also posted to Bugtraq.