Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln
From: Holger Zimmermann <zimpel@xxxxxxxxxxxxxxxxxxxxx>
Date: 30 Nov 2004 20:31:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20020310042345.5422.qmail@xxxxxxxxxxxxxxxxxxxxxx>

>To see the webroot directory just simply cause a 404 
>error:
>
>http://pi3web-host.com/fake_page

This is caused by the usage of the default configuration for the wrong purpose. 
If you look into the configuration examples in the installation package, 
there's a configuration file Internet.pi3 (I think the name is 
self-explaining), which uses plain html error pages and not the more talkative 
SSI pages, as in the default configuration.
The default configuration has rather been made for web development and feature 
demonstration so this IMO has never been a security problem. Nevertheless I 
provided a checkbox in the administration client in order to switch on verbose 
error messages explicitely in Pi3Web 2.0.1.

>To view files on the web server that you are not 
>supposted to
>be seen do something like:
>
>http://pi3web-host.com/*.extension

This has (afaik) never been reproduced until today. I retested it multiple 
times using older and recent versions and always got a 404 status code in the 
response as expected in that case.
--
regards,
Holger Zimmermann

Prev by Date: Invision Power Board 'Allow auto login' setting override
Next by Date: [CLA-2004:904] Conectiva Security Announcement - cyrus-imapd
Previous by thread: Invision Power Board 'Allow auto login' setting override
Next by thread: [CLA-2004:904] Conectiva Security Announcement - cyrus-imapd
Index(es):
- Date
- Thread