Search | Research | Contact Us Tuesday January 17, 2022
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 eBay And Amazon Still Vulnerable
  4 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  5 Woltlab Burning Board SQL Injection Vulnerability
  6 When Small Mistakes Can Cause Big Problems
  7 Multiple Vulnerabilities In phpWebsite
  8 Critical Vulnerability In Help Center Live
  9 dbPowerAmp Buffer Overflow And DoS Vulnerabilities
10 Document Object Model Hijacking Explained
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Multiple Vulnerabilities In Xedus Webserver
August 30, 2021
Vendor : Jerod Moemeka
Version : Xedus Webserver v1.0
Risk : Multiple Vulnerabilities

Xedus is a Peer-to-Peer web server and provides you with the ability to share files, music, and any other media, as well as create robust and dynamic web sites, which can feature database access, file system access, with full .net support. Powered by a built in server-side, Microsoft C#, scripting language; Xedus boasts the ability to create sites that can rival web applications built on any other enterprise servers like Apache, IIS, Iplanet? With Xedus, you will never need to pay to host your sites again. Using the peer-to-peer mode, other members of LIVE can access you site by keyword using Internet Explorer even if you do not have a static IP address!

Denial of Service:
Xedus Webserver cannot handle multiple connections from the same host, and will deny all access to any users after a number of connections are made from a malicious user. This vulnerability can be leveraged by an attacker to deny all requests to a website, thus rendering it inaccessible.

Cross Site Scripting:
Xedus Webserver comes with a number of test scripts. These test scripts are used to display some of the capabilities of the Xedus webserver.


However, the input received by some of these test scripts are not properly sanitized. Because the input is not properly sanitized, it allows for an attacker to send a malicious url that will then render malicious code in the context of a victim's web browser. A quick and easy way to resolve these xss issues is to delete the .x files located in the ./sampledocs folder of the Xedus Webserver installation.

Directory Traversal Vulnerability:
Xedus webserver does not properly sanitize requests sent to the server. This vulnerability can be exploited to retrieve arbitrary, potentially sensitive files from the hosting computer with the privileges of the web server. This may aid a malicious user in further attacks.


It should be noted, that by default the Xedus Webserver listens for incoming connections on port 4274, however this value can be edited by the administrator of the Xedus webserver.

I contacted the developers but never received a response. To resolve the Cross Site Scripting issue, simply remove the sample .x scripts located in the ./sampledocs directory

James Bercegay of the GulfTech Security Research Team.