On February 14th, an advisory posted on BugTraq (bugtraq, InfoHacking) described two ways to inject data into HTTP responses using a crafted request.

• The "Error response arbitrary injection" method is not applicable to Zeus Web Server.

• The "Location HTTP header injection" affects Zeus Web Server. A number of other web servers, including Apache and IIS, can also be provoked in this way.

This article discusses the advisory as it pertains to Zeus Web Server, and assesses how it may be exploited to provoke undesired behaviour. Read more...

Zeus has discovered a serious security bug in the Content Negotiation feature of Zeus Web Server in versions prior to 4.3r3.

This document describes the scope of the problem and its solution.

New security requirements can require that low-grade encryption ciphers are not accepted from clients when they initiate an SSL request to a webserver.

In releases of ZWS version 4.3 and above, new features have been added to allow the list of acceptable ciphers to be manually specified.

Read more...

On the 29th of May 2003, a cross-site-scripting attack against the Zeus Administration Server was reported on bugtraq (incident "Zeus Web Server Admin Interface VS_Diag.CGI Cross Site Scripting Vulnerability").

Read more...

On November 9th 2002, a cross-site-scripting attack against the Zeus Administration Server was reported on bugtraq (incident "Zeus Web Server Admin Interface Cross Site Scripting Vulnerability").

Read more...