Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: my Web Server << v-1.0 Denial of Service Exploit

from [Steven M. Christey] Network Security [Permanent Link]
Subject: Re: my Web Server << v-1.0 Denial of Service Exploit
Date: Thu, 1 Jun 2006 19:20:12 -0400 (EDT) 

str0ke asked:


Is this the same vulnerability?
http://www.securityfocus.com/bid/5954



Well, let's see.  Short answer is "probably not because they don't
seem to be the same product."


The most recent disclosure points to "MY Web Server" at
http://eitsop.s5.com/, which links to source code in a ZIP file.

Downloading the source code, we have a readme.txt that is dated June
22, 2002; the MyWS.exe also has this date.  The deployment is very
simple, with a handful of template files with minimal contents.

summary:

Author - eitsop
Product - MY Web Server
Version - 1.0
Date - June 22, 2002
Source Code - yes


Now, the original disclosure as identified in BID 5954 points to a
Bugtraq post (http://seclists.org/lists/bugtraq/2002/Oct/0177.html ;
the securityfocus URL is broken) which points to
http://www.mywebserver.org/

Note that there appears to be vendor acknowledgement of the issue in
1.0.3 in this changelog:
http://www.mywebserver.org/us/downloads/whats_new_in_this_version.shtml

which says "MyWebServers handles very long URL's and search strings
making it invulnerable to DOS (Denial Of Service) Attacks by hackers."


Still, the question remains - are these the same product or not?


The author is different - Seth Snyder

The product spelling is slightly different - MyWebServer (one word,
instead of three)

The current version is 1.0.3.  A quick look suggests many more
features than the Eitsop version.

Looking at the history provided in the above URL, we have 2 dates for
version 1.0 beta releases: 05/24/01 and 07/15/01

So, the release dates are also different.

Finally, I ran "strings" on the two versions and compared results.
The only shared strings were "My Web Server", "Request", "index.html",
and a few other incidental matches.


So - we have different authors, different spellings, different release
dates, and entirely different strings.  Looks different enough to me.

But since they're web servers in early stages of development, it's not
surprising that they join a couple dozen other web servers for having
a buffer overflow using a long GET request - which is clearly
"Vulnerability Assessment Assurance Level" 0, to remind people of
David Litchfield's recent proposals on rating software security.

- Steve
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: my Web Server << v-1.0 Denial of Service Exploit, Steven M. Christey <=
Previous by Date:  Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities, Thomas Dickey
Next by Date:  northstudio Cross Site Scripting Vulnerability, CrAzY . CrAcKeR
Previous by Thread:  Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities, Thomas Dickey
Next by Thread:  northstudio Cross Site Scripting Vulnerability, CrAzY . CrAcKeR
Indexes:  [Date] [Thread] [Top] [All Lists]