| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Jun 2006 19:20:12 -0400 (EDT) From: "Steven M. Christey" <coley@...re.org> To: bugtraq@...urityfocus.com Subject: Re: my Web Server << v-1.0 Denial of Service Exploit str0ke asked: >Is this the same vulnerability? >http://www.securityfocus.com/bid/5954 Well, let's see. Short answer is "probably not because they don't seem to be the same product." The most recent disclosure points to "MY Web Server" at http://eitsop.s5.com/, which links to source code in a ZIP file. Downloading the source code, we have a readme.txt that is dated June 22, 2002; the MyWS.exe also has this date. The deployment is very simple, with a handful of template files with minimal contents. summary: Author - eitsop Product - MY Web Server Version - 1.0 Date - June 22, 2002 Source Code - yes Now, the original disclosure as identified in BID 5954 points to a Bugtraq post (http://seclists.org/lists/bugtraq/2002/Oct/0177.html ; the securityfocus URL is broken) which points to http://www.mywebserver.org/ Note that there appears to be vendor acknowledgement of the issue in 1.0.3 in this changelog: http://www.mywebserver.org/us/downloads/whats_new_in_this_version.shtml which says "MyWebServers handles very long URL's and search strings making it invulnerable to DOS (Denial Of Service) Attacks by hackers." Still, the question remains - are these the same product or not? The author is different - Seth Snyder The product spelling is slightly different - MyWebServer (one word, instead of three) The current version is 1.0.3. A quick look suggests many more features than the Eitsop version. Looking at the history provided in the above URL, we have 2 dates for version 1.0 beta releases: 05/24/01 and 07/15/01 So, the release dates are also different. Finally, I ran "strings" on the two versions and compared results. The only shared strings were "My Web Server", "Request", "index.html", and a few other incidental matches. So - we have different authors, different spellings, different release dates, and entirely different strings. Looks different enough to me. But since they're web servers in early stages of development, it's not surprising that they join a couple dozen other web servers for having a buffer overflow using a long GET request - which is clearly "Vulnerability Assessment Assurance Level" 0, to remind people of David Litchfield's recent proposals on rating software security. - Steve
Powered by blists - more mailing lists