Xitami 2.5d4 and previous versions allows remote malicious users to crash the server via an HTTP request to the /aux directory.
imatix xitami 2.4d7
imatix xitami 2.5d4