str0ke asked: >Is this the same vulnerability? >http://www.securityfocus.com/bid/5954 Well, let's see. Short answer is "probably not because they don't seem to be the same product." The most recent disclosure points to "MY Web Server" at http://eitsop.s5.com/, which links to source code in a ZIP file. Downloading the source code, we have a readme.txt that is dated June 22, 2002; the MyWS.exe also has this date. The deployment is very simple, with a handful of template files with minimal contents. summary: Author - eitsop Product - MY Web Server Version - 1.0 Date - June 22, 2002 Source Code - yes Now, the original disclosure as identified in BID 5954 points to a Bugtraq post (http://seclists.org/lists/bugtraq/2002/Oct/0177.html ; the securityfocus URL is broken) which points to http://www.mywebserver.org/ Note that there appears to be vendor acknowledgement of the issue in 1.0.3 in this changelog: http://www.mywebserver.org/us/downloads/whats_new_in_this_version.shtml which says "MyWebServers handles very long URL's and search strings making it invulnerable to DOS (Denial Of Service) Attacks by hackers." Still, the question remains - are these the same product or not? The author is different - Seth Snyder The product spelling is slightly different - MyWebServer (one word, instead of three) The current version is 1.0.3. A quick look suggests many more features than the Eitsop version. Looking at the history provided in the above URL, we have 2 dates for version 1.0 beta releases: 05/24/01 and 07/15/01 So, the release dates are also different. Finally, I ran "strings" on the two versions and compared results. The only shared strings were "My Web Server", "Request", "index.html", and a few other incidental matches. So - we have different authors, different spellings, different release dates, and entirely different strings. Looks different enough to me. But since they're web servers in early stages of development, it's not surprising that they join a couple dozen other web servers for having a buffer overflow using a long GET request - which is clearly "Vulnerability Assessment Assurance Level" 0, to remind people of David Litchfield's recent proposals on rating software security. - Steve
