[VIM] my Web Server << v-1.0 Denial of Service Exploit (fwd)

Steven M. Christey coley at linus.mitre.org
Thu Jun 1 21:20:22 EDT 2006



---------- Forwarded message ----------
Date: Thu, 1 Jun 2006 19:20:12 -0400 (EDT)
From: Steven M. Christey <coley at mitre.org>
To: bugtraq at securityfocus.com
Subject: Re: my Web Server << v-1.0 Denial of Service Exploit


str0ke asked:

>Is this the same vulnerability?
>http://www.securityfocus.com/bid/5954


Well, let's see.  Short answer is "probably not because they don't
seem to be the same product."


The most recent disclosure points to "MY Web Server" at
http://eitsop.s5.com/, which links to source code in a ZIP file.

Downloading the source code, we have a readme.txt that is dated June
22, 2002; the MyWS.exe also has this date.  The deployment is very
simple, with a handful of template files with minimal contents.

summary:

Author - eitsop
Product - MY Web Server
Version - 1.0
Date - June 22, 2002
Source Code - yes


Now, the original disclosure as identified in BID 5954 points to a
Bugtraq post (http://seclists.org/lists/bugtraq/2002/Oct/0177.html ;
the securityfocus URL is broken) which points to
http://www.mywebserver.org/

Note that there appears to be vendor acknowledgement of the issue in
1.0.3 in this changelog:
http://www.mywebserver.org/us/downloads/whats_new_in_this_version.shtml

which says "MyWebServers handles very long URL's and search strings
making it invulnerable to DOS (Denial Of Service) Attacks by hackers."


Still, the question remains - are these the same product or not?


The author is different - Seth Snyder

The product spelling is slightly different - MyWebServer (one word,
instead of three)

The current version is 1.0.3.  A quick look suggests many more
features than the Eitsop version.

Looking at the history provided in the above URL, we have 2 dates for
version 1.0 beta releases: 05/24/01 and 07/15/01

So, the release dates are also different.

Finally, I ran "strings" on the two versions and compared results.
The only shared strings were "My Web Server", "Request", "index.html",
and a few other incidental matches.


So - we have different authors, different spellings, different release
dates, and entirely different strings.  Looks different enough to me.

But since they're web servers in early stages of development, it's not
surprising that they join a couple dozen other web servers for having
a buffer overflow using a long GET request - which is clearly
"Vulnerability Assessment Assurance Level" 0, to remind people of
David Litchfield's recent proposals on rating software security.

- Steve


More information about the VIM mailing list