Sante PACS Server Denial-of-Service Vulnerability via Uninitialized Pointer Access

A denial-of-service vulnerability has been identified in Sante PACS Server version 4.1.0. The issue arises in the 'GetWebLoginCredentials' function, where the application improperly handles multipart form-data login requests. The function expects to find the 'usrname', 'passwrd', and 'session_id' fields. However, if the 'usrname' field is the last one in the request and no lines follow it, the function accesses an uninitialized pointer. This flaw can lead to an access violation, causing the application to crash.

Impact

Exploitation of this vulnerability causes the application to terminate unexpectedly, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a multipart form-data login request to the application's embedded web server. The request must include the 'usrname' field as the last item, without any subsequent lines. This can be done using a network tool or script that simulates the multipart form-data upload, ensuring the 'usrname' field is positioned to trigger the uninitialized pointer access.

Remediation

Users are advised to upgrade to Sante PACS Server version 4.2.0 or later.