• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Buffer overflow in Michael Lamont Savant Web Server 3.0 allows remote attackers to cause a denial of service (crash) via a long HTTP request to the cgi-bin directory in which the CGI program name contains a large number of . (dot) characters.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
Date Entry Created
20020315 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20020911-01)
Votes (Legacy)
ACCEPT(2) Frech, Green
NOOP(4) Cole, Foat, Wall, Ziese
REVIEWING(1) Christey
Comments (Legacy)
 Christey> Should CVE-2002-0099 and/or CVE-2001-0433 be MERGED with
   CVE-2000-0641?  All describe slightly different overflows
   that, perhaps, should be merged according to CD:SF-LOC.
   It depends on which versions are affected, which would require
   some vendor acknowledgement or consultation.
   A vague changelog for version 3.1 at says
   "security fixes" but it's not clear *which* security fixes
   were made.
   The description for CVE-2000-0641 is slightly incorrect.  The
   exploit is clearly due to a large number of headers, not
   arguments to the GET request itself.  So, CVE-2000-0641
   clearly overlaps with CVE-2001-0433.
   The exploit for CVE-2001-0433 also doesn't really have
   anything to do with a "" program (which isn't in
   the distribution).  The discloser simply used that as an
   example program of a long request.
 Christey> Modify description so that overflow is described as being
   part of the CGI module (so it appears).
   Also, Tamer Sahin confirmed via email (9/11/02) that the
   problem was explicitly exhibited using a large number of
   . (dot) characters.

Proposed (Legacy)
This is an entry on the CVE list, which standardizes names for security problems.