View Disclosure
[Vulnerability Description] | |
- Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests | |
that lack a 'Content-Length' header. The issue comes from the process_header_end() function, which | |
calls boa_atoi(), which ultimately calls aoti() on a null pointer. | |
[Additional Information] | |
- The Hydra web server is widely used by embedded networking equipment, such as switches, and embedded devices in general. | |
Because of this fact, it is very difficult to specify device models or vendors that may be impacted by this vulnerability. | |
Rudimentary scans using Shodan show over 8,000 devices registered broadcasting the "Hydra v0.1.8" server, open to the |