Re: MyServer 0.4.3 Denial Of Service

["badpack3t" <badpack3t () security-protocols com>]

Read my advisory just a little bit closer.  Those you mention below are
for 0.4.1 and 0.4.2.  The issue I found is much different, and is on
version 0.4.3.


-badpack3t
www.security-protocols.com

> ummm... is this a redux?
>
> http://exploitlabs.com/files/advisories/EXPL-A-2003-012-myServer.txt
> July 5 2003 and
> http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0047.html
> and
> http://lists.insecure.org/lists/bugtraq/2003/Jun/0181.html  June 21 2003
>
> unless you have got a remote shell or other compromize, this is a known
> issue
>
>
> Donnie Werner
> http://exploitlabs.com
>
>
>
> ----- Original Message -----
> From: "badpack3t" <badpack3t () security-protocols com>
> To: <badpack3t () security-protocols com>
> Sent: Monday, September 08, 2003 1:29 PM
> Subject: [Full-disclosure] MyServer 0.4.3 Denial Of Service
>
>
> > SP Research Labs Advisory x06
> > ---------------------------------
> > www.security-protocols.com
> >
> > MyServer 0.4.3 Denial of Service
> > ---------------------------------
> >
> > Download it here:
> > http://myserverweb.sourceforge.net
> >
> > Date Released - 09/08/2003
> >
> > ------------------------------------
> > Product Description from the vendor:
> > MyServer is a free and easy to configure web server.  MyServer is
> > licensed under the GNU General Public License (GPL). See the license
> > page for additional info.  MyServer is in continuous development and
> > new features will be present in future releases. Go here to see the
> > latest news from the MyServer project.  It is available for windows
> > and linux platforms. MyServer's principal goal is to create a free and
> > simple powerful server to allow everyone to transform his home PC in a
> > server and be you own webmaster with few clicks and share information
> > easily with all the world!
> >  It is a multithread application that support multiprocessor machines,
> > in
> > this way can be appreciated for professional uses too.
> >
> > ---------------------------
> > Vulnerability Description:
> >
> > A denial of service (could possibly be exploitable) vulnerability
> > exists within MyServer 0.4.3.
> >
> > 2.2.10.0. Please see the exploit code for the malicious payload as it
> > is to large to post within the email. Once the malicious payload has
> > been sent, the web server will crash giving a runtime error.  If you
> > have found out that this is indeed exploitable, please send me an
> > email if you don't mind.
> >
> > Advisory Link:
> >
> > http://www.security-protocols.com/article.php?sid=1596&mode=thread&order=0
> >
> > Tested on:
> >
> > Windows XP Pro SP1
> > Windows 2000 SP3
> >
> > ----------------------------
> > Download the exploit here:
> >
> > http://fux0r.phathookups.com/coding/c++/sp-myserver.c
> >
> > peace out,
> >
> > ----------------------------
> > badpack3t
> > founder
> > www.security-protocols.com
> > ----------------------------
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html