lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 24 Nov 2008 21:53:28 -0000
From: zimpel@...nline.de
To: bugtraq@...urityfocus.com
Subject: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

Still wrong, No DoS. The server responds to further requests, after the dialog box appears:
192.168.1.5
 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 2559
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/red_ball.gif HTTP/1.1" 200 397
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Tile.gif HTTP/1.1" 200 1866

Some explanation:
In desktop mode the application is interactive, but when installed as a system service it isn't.

Of course the preferred installation for a production server ist a system service. On the other hand, the (interactive) desktop application is the choice for web application development.

Finally the ISAPI example (!!!) files can be deleted or a simple filter in the server configuration can be used in order to hide these files:

1.) either extend the mapping directive:
Mapping Condition="&or(&regexp('*.dll*',$U),&regexp('*.dll',$f))" ISAPIMapper From="/isapi/" To="Isapi\"

or 2.) extend the ISAPI handler object:
CheckPath Condition="&not(&or(&regexp('*.dll*',$U),&regexp('*.dll',$f)))" StatusCode StatusCode="404"

Both filters for example URL http://hz/isapi/users.txt return a HTTP status 404.

This is simple configuration work as described in the server documentation. So what? I still cannot see any reason for a DoS vulnerability in this case.

Honestly, I don't believe that someone publishes the ISAPI (or CGI) examples delivered and installed with the server in an internet environment. The default configuration template for internet is internet.pi3 and this is of course without ISAPI mapping per default.

Finally there's still the fact, that wrong (server version) and incomplete (installation options, OS version) information has been posted without giving me the chance for analysis. I'm the only person in the Pi3Web project and I do this in my rare spare time (normally at the weekend).
--
regards,
Holger Zimmermann

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ