Re: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability
I could finally reproduce the problem, when I used the Pi3Web 2.0.3 release
without any patches. After applying the available patches in the intended
incremental) order to this installation, with Pi3Web 2.0.3 PL2 the issue
disappeared.
It seems the creator of the original report has not used a properly maintained
Pi3Web 2.03 with PL2 applied. The required patch PL2 is publically available
since April 2007.
FINAL RESULT
No vulnerability:
- with a properly maintained Pi3Web version 2.0.3 with incremental patches up
to PL2 applied
- OR - when Pi3Web is installed as a Windows service
- OR - when configuration template Pi3Web/Conf/Intenet.pi3 is used
Vulnerability (remote DoS in the reported way) confirmed:
- Pi3Web version 2.0.3 without any available patches installed
- AND - Pi3Web is installed as a desktop application
- AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used
Normally all of the three topics have to be considered, when the server is
installed as an remotely accessible (internet) server.
Older versions may be vulnerable under the same condition (installation as a
desktop application) but a number of indpendent solutions are available:
- use configuration template internet.pi3 as basis to setup own internet
servers
- delete the ISAPI (and other!) examples manually
- apply one (and only one) of the following configuration changes:
1.) supplement the mapping directive for ISAPI:
Mapping Condition="&or(®exp('*.dll*',$U),®exp('*.dll',$f))" ISAPIMapper
From="/isapi/" To="Isapi\"
2.) add to the ISAPI handler object:
CheckPath Condition="¬(&and(®exp('*.dll*',$U),®exp('*.dll',$f)))"
StatusCode StatusCode="404"
PROPOSED ACTIONS FOR END USERS
Please check the Pi3Web server 2.0.3 installation to ensure, that all available
patches have been applied. All updates and patches for release Pi3Web 2.0.3 can
be downloaded here:
https://sourceforge.net/project/showfiles.php?group_id=17753&package_id=16751&release_id=257565
For people, who use the web site http://www.pi3.org (and not the project web
site at sourceforge) I added a hint/link in the download area to look for
recent updates and patches at sourceforge.
Users of older versions should either update to Pi3Web 2.0.3 (including PL2) or
apply the proposed configuration change or delete the ISAPI examples completely
from the ISAPI folder.
PROPOSED ACTIONS FOR BID 32287:
The current description in the BID is inconsistent and wrong and therefore
needs multiple updates:
- Pi3Web 2.0.3 PL2 is not vulnerable
- The issue is only valid for Windows versions of Pi3Web
- the following 3 conditions must all be fullfilled in order to produce the
issue but are not mentioned at all:
- Pi3Web version 2.0.3 is installed without any available patches
- AND - Pi3Web is installed as a desktop application
- AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used
- The configuration workarounds I provided a few days ago are not mentionend at
all. Instead it is stated in the BID: "Currently we are not aware of any
vendor-supplied patches for this issue."
- one reference to my emails to bugtraq in the 'references' tab of the BID is
double and therefore my previous mail to bugtraq is missing in the references
list.
--
kind regards,
Holger Zimmermann