[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

Still wrong, No DoS. The server responds to further requests, after the dialog box appears:
 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico HTTP/1.1" 200 973 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 2559 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web.ico HTTP/1.1" 200 973 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/red_ball.gif HTTP/1.1" 200 397 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Tile.gif HTTP/1.1" 200 1866

Some explanation:
In desktop mode the application is interactive, but when installed as a system service it isn't.

Of course the preferred installation for a production server ist a system service. On the other hand, the (interactive) desktop application is the choice for web application development.

Finally the ISAPI example (!!!) files can be deleted or a simple filter in the server configuration can be used in order to hide these files:

1.) either extend the mapping directive:
Mapping Condition="&or(&regexp('*.dll*',$U),&regexp('*.dll',$f))" ISAPIMapper From="/isapi/" To="Isapi\"

or 2.) extend the ISAPI handler object:
CheckPath Condition="&not(&or(&regexp('*.dll*',$U),&regexp('*.dll',$f)))" StatusCode StatusCode="404"

Both filters for example URL http://hz/isapi/users.txt return a HTTP status 404.

This is simple configuration work as described in the server documentation. So what? I still cannot see any reason for a DoS vulnerability in this case.

Honestly, I don't believe that someone publishes the ISAPI (or CGI) examples delivered and installed with the server in an internet environment. The default configuration template for internet is internet.pi3 and this is of course without ISAPI mapping per default.

Finally there's still the fact, that wrong (server version) and incomplete (installation options, OS version) information has been posted without giving me the chance for analysis. I'm the only person in the Pi3Web project and I do this in my rare spare time (normally at the weekend).
Holger Zimmermann