MyWebServer 1.0.3

From: nekd0 (nekd0_at_rambler.ru)
Date: 09/27/04

  • Next message: Nick Knouf: "Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes"
    Date: Mon, 27 Sep 2004 08:17:43 +0400
    To: bugtraq@securityfocus.com
    
    

    Hello bugtraq,

                                    -= Unl0ck Team Security Advisory =-

            ____ ___ __ _______ __ ___________
           | | \____ | | \ _ \ ____ | | __ \__ ___/___ _____ _____
           | | / \| | / /_\ \_ / ___\| |/ / | |_/ __ \\__ \ / \
           | | / | \ |_\ \_/ \ \___ | < | |\ ___/ / __ \| Y Y \
           |______/|___| /____/\_____ /\_____ >__|_ \ |____| \___ >____ /__|_| /
                        \/ \/ \/ \/ \/ \/ \/
                             ... the best way of protection is attack

    Bug: Denial of service & non password admin panel access
    (in all server configurations).
    Product: MyWebServer 1.0.3
    Risk: Medium
    Vendor: http://www.mywebserver.org
    Reference: http://unl0ck.blackhatz.info/advisories.html

    Overview:
    MyWebServer - web server for win.

    Details:

    Denial of service:
    In order to crash the server you have to create more than 107
    connections with the HTTP service very fast.

    Non password admin panel access:
    Any user can access http://localhost/admin in any server
    configuration. Any user can access http://localhost/admin/ServerProperties.html
    where you can change server properties and make ftp accounts with path in any
    part of hard disk, what mean that - remote attacker may veiw any file on hard drive.

    23/09/04.
    (c) by unl0ck team.
    http://unl0ck.blackhatz.info/ | http://unl0ck.net.ru

    -- 
    Best regards,
     nekd0                          mailto:nekd0@rambler.ru
    

  • Next message: Nick Knouf: "Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes"

    Relevant Pages

    • Re: AbsolutePage causing errors
      ... eInSites Hosting maintain that all the other server configurations ... debug detail so maybe it is only this Absolutepage error that is ... keyset cursor will also support bookmarks which sill allow AbsolutePage to ... as the server and client settings allow it to. ...
      (microsoft.public.inetserver.asp.general)
    • Re: High traffic NFS performance and availability problems
      ... > I think leaving the 4.x clients in a known configuration and just ... > the server configurations the right starting point. ... ran into a situation in which 4.9 spent about 90 % of CPU time in ...
      (freebsd-hackers)
    • Re: configuring sql server (best practice)
      ... You wouldn't necessarily use the server configurations to ... The default settings work fine in most ... >I'm working with sql server 2000 and it runs with other large dbms's like ...
      (microsoft.public.sqlserver.server)
    • Re: INN on Enterprise Linux 4
      ... when a reader attempts to open to the host it takes ... The server attempts to look ... name server configurations, OR add the remote hosts to the /etc/hosts ...
      (linux.redhat)
    • Re: Hosting ASP app
      ... >company will have their own SQL Server database. ... >What server configurations should be considered? ... in the design pahse of the application, ...
      (microsoft.public.inetserver.iis)