QwikSec

Security Database

CVE

CWE

Training

CVE-2018-16789

Published: Mar 17, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.html

x_refsource_MISC

http://seclists.org/fulldisclosure/2018/Oct/50

x_refsource_MISC

https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361

x_refsource_CONFIRM

https://code.google.com/archive/p/shellinabox/issues

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.