Bugtraq mailing list archives

Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

From: zimpel () t-online de
Date: 24 Nov 2008 21:53:28 -0000

Still wrong, No DoS. The server responds to further requests, after the dialog box appears:
192.168.1.5
 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 2559
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/red_ball.gif HTTP/1.1" 200 397
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Tile.gif HTTP/1.1" 200 1866

Some explanation:
In desktop mode the application is interactive, but when installed as a system service it isn't.

Of course the preferred installation for a production server ist a system service. On the other hand, the (interactive) 
desktop application is the choice for web application development.

Finally the ISAPI example (!!!) files can be deleted or a simple filter in the server configuration can be used in 
order to hide these files:

1.) either extend the mapping directive:
Mapping Condition="&or(&regexp('*.dll*',$U),&regexp('*.dll',$f))" ISAPIMapper From="/isapi/" To="Isapi\"

or 2.) extend the ISAPI handler object:
CheckPath Condition="&not(&or(&regexp('*.dll*',$U),&regexp('*.dll',$f)))" StatusCode StatusCode="404"

Both filters for example URL http://hz/isapi/users.txt return a HTTP status 404.

This is simple configuration work as described in the server documentation. So what? I still cannot see any reason for 
a DoS vulnerability in this case.

Honestly, I don't believe that someone publishes the ISAPI (or CGI) examples delivered and installed with the server in 
an internet environment. The default configuration template for internet is internet.pi3 and this is of course without 
ISAPI mapping per default.

Finally there's still the fact, that wrong (server version) and incomplete (installation options, OS version) 
information has been posted without giving me the chance for analysis. I'm the only person in the Pi3Web project and I 
do this in my rare spare time (normally at the weekend).
--
regards,
Holger Zimmermann

Current thread:

Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability zimpel (Nov 22)
- <Possible follow-ups>
- Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability tecklord (Nov 24)
- Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability zimpel (Nov 24)