Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability
From: zimpel@xxxxxxxxxxx
Date: Mon, 1 Dec 2008 01:43:27 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

See http://secunia.com/advisories/32696/:
The issue does only exist, when Pi3Web is installed  as an interactive desktop 
application. However it has not been reproduced on my test system until now.
There are a lot of information missing in the original report, which may have 
influence on the occurence of the issue:
- operating system name, version, service pack
- Pi3Web configuration (number of connections, thread reusage, connection keep 
alive, ...)
- test environment (application firewall, network components)

On the other hand it is conceptual question, whether an interactive desktop 
application may wait for user input, even if it is a server and if blocking of 
client requests during this time is to be evaluated as DoS. It has to be 
considered, that no hardened internet configuration has been used but an 
operation mode, which is or web development.

Please add at least the preference "Pi3Web must be installed as interactive 
desktop application" to this report because this is proved and is the common 
understanding of all involved people who are further analysing this issue.
--
regards,
Holger Zimmermann

Prev by Date: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability
Next by Date: [BMSA 2008-09] Two buffer overflow vulnerabilities in Rumpus v6.0
Previous by thread: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability
Next by thread: Re: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability
Index(es):
- Date
- Thread