| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Dec 2008 01:43:27 -0700 From: zimpel@...nline.de To: bugtraq@...urityfocus.com Subject: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability See http://secunia.com/advisories/32696/: The issue does only exist, when Pi3Web is installed as an interactive desktop application. However it has not been reproduced on my test system until now. There are a lot of information missing in the original report, which may have influence on the occurence of the issue: - operating system name, version, service pack - Pi3Web configuration (number of connections, thread reusage, connection keep alive, ...) - test environment (application firewall, network components) On the other hand it is conceptual question, whether an interactive desktop application may wait for user input, even if it is a server and if blocking of client requests during this time is to be evaluated as DoS. It has to be considered, that no hardened internet configuration has been used but an operation mode, which is or web development. Please add at least the preference "Pi3Web must be installed as interactive desktop application" to this report because this is proved and is the common understanding of all involved people who are further analysing this issue. -- regards, Holger Zimmermann
Powered by blists - more mailing lists