<<< Date Index >>>     <<< Thread Index >>>

MyWebServer 1.0.3



Hello bugtraq,

                                -= Unl0ck Team Security Advisory =-

        ____ ___       __  _______           __      ___________
       |    |   \____ |  | \   _  \    ____ |  | __  \__    ___/___ _____    
_____
       |    |   /    \|  | /  /_\  \_ / ___\|  |/ /    |    |_/ __ \\__  \  /   
  \
       |    |  /   |  \  |_\  \_/   \  \___ |    <     |    |\  ___/ / __ \|  Y 
Y  \
       |______/|___|  /____/\_____  /\_____ >__|_ \    |____| \___  >____  
/__|_|  /
                    \/            \/       \/    \/               \/     \/     
 \/
                         ... the best way of protection is attack


Bug: Denial of service & non password admin panel access
(in all server configurations).
Product: MyWebServer 1.0.3
Risk: Medium
Vendor: http://www.mywebserver.org
Reference: http://unl0ck.blackhatz.info/advisories.html


Overview:
MyWebServer - web server for win.

Details:

Denial of service:
In order to crash the server you have to create more than 107
connections with the HTTP service very fast.


Non password admin panel access:
Any user can access http://localhost/admin in any server
configuration. Any user can access http://localhost/admin/ServerProperties.html
where you can change server properties and make ftp accounts with path in any
part of hard disk, what mean that - remote attacker may veiw any file on hard 
drive.


23/09/04.
(c) by unl0ck team.
http://unl0ck.blackhatz.info/ | http://unl0ck.net.ru


-- 
Best regards,
 nekd0                          mailto:nekd0@xxxxxxxxxx