lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 May 2005 16:56:51 +0200
From: "Claus R. F. Overbeck" <>
Subject: Pico Server (pServ) Remote Command Injection

            Advisory: Pico Server (pServ) Remote Command Injection

RedTeam found a remote command injection in Pico Server (pServ) which results
in a remote attacker being able to issue arbitrary commands on the server.


Product: Pico Server (pServ)
Affected Version: 3.2(verified), <=3.2 probably too
Immune Version: 3.3
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-Status: new version available
Advisory-Status: published
CVE: CAN-2005-1365
( #)

Pico Server is a small web server. It is meant to be portable and

* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer)
* forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behavior, the performance and the feature set so
to be able to fit better the the requisites.

If pServ is compiled with support for CGI-BIN a remote attacker is able to
execute any program (with pServ permissions) on the server by traversing out
of the cgi-bin directory.

More Details

pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as
To avoid that a user traverses out of the cgi-bin using traditional /../,
pServ parses the requested url. It increases a counter by one if it parses a
/ (new subdir) and decreases the counter if ist parses /../. If the counter
goes below zero the url is rejected as illegal. Unfortunately an attacker can
avoid beeing rejected, just using enough / in the url (without directory
names between them), so he can traverse out of the cgi-bin by adding some
/../ . This lets the attacker execute any program on the server (with pServ

Proof of Concept

The following url downloads a script (or executable) to the server:

This is how the script can be executed afterwards:


The only workaround is to compile pServ without support for cgi-bin.


The Developers have released Version 3.3. This version should fix the
problem. The changes have not been tested by RedTeam, yet.

Security Risk

The security risk is rated very high because a remote attacker can use this
flaw to execute arbitrary code on the server (with the permissions of pServ).


2005-04-29 found
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 new version released. Advisory published


RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at

Powered by blists - more mailing lists