Long URL crashes My Web Server 1.0.2

[Marc Ruef <marc.ruef () computec ch>]

Hi!

I found a security bug in the "My Web Server 1.0.2 [Build 03.27.02]"
(tested on Windows XP Professional). It could be that prior version are
also affected.

It's possible to crash the webserver with a very long request like
this[1]:

http://192.168.0.2/AAA...(approx. Ax994)...AAA

Sometimes the "My Webserver V1.0 Control Panel" disappears immediately,
sometimes with an error message (it seems to depend on the lenght of the
request), and the whole web server part shuts down (no http listening
anymore).

You have to restart the "My Webserver" to get a running web server.

I've informed info () mywebserver org at 02/10/11 about the problem and
they acknowledged the vulnerability. It would be a good idea the
implement in an upcoming version an input check to cut long requests.
Seth Snyder replied, that he'll add such a feature as soon as possible.

Bye, Marc

[1] It could be that the CodeRed worm crashes a web server running the
vulnerable "My Web Server". Also some CGI scanners (e.g. N-Stealth by
Felipe Moniz) check such long requests. But it's easy to detect very
long http requests with an intrusion detection system.

-- 
Computer, Technik und Security
http://www.computec.ch