This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Vulnerability Description] | |
- Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests | |
that lack a 'Content-Length' header. The issue comes from the process_header_end() function, which | |
calls boa_atoi(), which ultimately calls aoti() on a null pointer. | |
[Additional Information] | |
- The Hydra web server is widely used by embedded networking equipment, such as switches, and embedded devices in general. | |
Because of this fact, it is very difficult to specify device models or vendors that may be impacted by this vulnerability. | |
Rudimentary scans using Shodan show over 8,000 devices registered broadcasting the "Hydra v0.1.8" server, open to the |