lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 3 Dec 2008 00:48:44 -0700
From: zimpel@...nline.de
To: bugtraq@...urityfocus.com
Subject: Re: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

I could finally reproduce the problem, when I used the Pi3Web 2.0.3 release without any patches. After applying the available patches in the intended incremental) order to this installation, with Pi3Web 2.0.3 PL2 the issue disappeared. 
 
It seems the creator of the original report has not used a properly maintained Pi3Web 2.03 with PL2 applied. The required patch PL2 is publically available since April 2007. 
 
FINAL RESULT 
 
No vulnerability: 
- with a properly maintained Pi3Web version 2.0.3 with incremental patches up to PL2 applied 
- OR - when Pi3Web is installed as a Windows service 
- OR - when configuration template Pi3Web/Conf/Intenet.pi3 is used 
 
Vulnerability (remote DoS in the reported way) confirmed: 
- Pi3Web version 2.0.3 without any available patches installed 
- AND - Pi3Web is installed as a desktop application 
- AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used 
 
Normally all of the three topics have to be considered, when the server is installed as an remotely accessible (internet) server. 
 
Older versions may be vulnerable under the same condition (installation as a desktop application) but a number of indpendent solutions are available: 
 
- use configuration template internet.pi3 as basis to setup own internet servers 
- delete the ISAPI (and other!) examples manually 
- apply one (and only one) of the following configuration changes: 
 
1.) supplement the mapping directive for ISAPI: 
Mapping Condition="&or(&regexp('*.dll*',$U),&regexp('*.dll',$f))" ISAPIMapper From="/isapi/" To="Isapi\" 
 
2.) add to the ISAPI handler object: 
CheckPath Condition="&not(&and(&regexp('*.dll*',$U),&regexp('*.dll',$f)))" StatusCode StatusCode="404" 
 
PROPOSED ACTIONS FOR END USERS
Please check the Pi3Web server 2.0.3 installation to ensure, that all available patches have been applied. All updates and patches for release Pi3Web 2.0.3 can be downloaded here: 
 
https://sourceforge.net/project/showfiles.php?group_id=17753&package_id=16751&release_id=257565 
 
For people, who use the web site http://www.pi3.org (and not the project web site at sourceforge) I added a hint/link in the download area to look for recent updates and patches at sourceforge. 
 
Users of older versions should either update to Pi3Web 2.0.3 (including PL2) or apply the proposed configuration change or delete the ISAPI examples completely from the ISAPI folder. 

PROPOSED ACTIONS FOR BID 32287:
The current description in the BID is inconsistent and wrong and therefore needs multiple updates:
- Pi3Web 2.0.3 PL2 is not vulnerable
- The issue is only valid for Windows versions of Pi3Web
- the following 3 conditions must all be fullfilled in order to produce the issue but are not mentioned at all:
  - Pi3Web version 2.0.3 is installed without any available patches
  - AND - Pi3Web is installed as a desktop application 
  - AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used 

- The configuration workarounds I provided a few days ago are not mentionend at all. Instead it is stated in the BID: "Currently we are not aware of any vendor-supplied patches for this issue."

- one reference to my emails to bugtraq in the 'references' tab of the BID is double and therefore my previous mail to bugtraq is missing in the references list.
--  
 
kind regards, 
Holger Zimmermann

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ