Bugtraq mailing list archives

Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

From: zimpel () t-online de
Date: Mon, 1 Dec 2008 01:43:27 -0700

See http://secunia.com/advisories/32696/:
The issue does only exist, when Pi3Web is installed  as an interactive desktop application. However it has not been 
reproduced on my test system until now.
There are a lot of information missing in the original report, which may have influence on the occurence of the issue:
- operating system name, version, service pack
- Pi3Web configuration (number of connections, thread reusage, connection keep alive, ...)
- test environment (application firewall, network components)

On the other hand it is conceptual question, whether an interactive desktop application may wait for user input, even 
if it is a server and if blocking of client requests during this time is to be evaluated as DoS. It has to be 
considered, that no hardened internet configuration has been used but an operation mode, which is or web development.

Please add at least the preference "Pi3Web must be installed as interactive desktop application" to this report because 
this is proved and is the common understanding of all involved people who are further analysing this issue.
--
regards,
Holger Zimmermann

Current thread:

Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability het_ebadi (Dec 01)
- <Possible follow-ups>
- Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability zimpel (Dec 01)
- Re: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability zimpel (Dec 03)