<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability



I could finally reproduce the problem, when I used the Pi3Web 2.0.3 release 
without any patches. After applying the available patches in the intended 
incremental) order to this installation, with Pi3Web 2.0.3 PL2 the issue 
disappeared. 
 
It seems the creator of the original report has not used a properly maintained 
Pi3Web 2.03 with PL2 applied. The required patch PL2 is publically available 
since April 2007. 
 
FINAL RESULT 
 
No vulnerability: 
- with a properly maintained Pi3Web version 2.0.3 with incremental patches up 
to PL2 applied 
- OR - when Pi3Web is installed as a Windows service 
- OR - when configuration template Pi3Web/Conf/Intenet.pi3 is used 
 
Vulnerability (remote DoS in the reported way) confirmed: 
- Pi3Web version 2.0.3 without any available patches installed 
- AND - Pi3Web is installed as a desktop application 
- AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used 
 
Normally all of the three topics have to be considered, when the server is 
installed as an remotely accessible (internet) server. 
 
Older versions may be vulnerable under the same condition (installation as a 
desktop application) but a number of indpendent solutions are available: 
 
- use configuration template internet.pi3 as basis to setup own internet 
servers 
- delete the ISAPI (and other!) examples manually 
- apply one (and only one) of the following configuration changes: 
 
1.) supplement the mapping directive for ISAPI: 
Mapping Condition="&or(&regexp('*.dll*',$U),&regexp('*.dll',$f))" ISAPIMapper 
From="/isapi/" To="Isapi\" 
 
2.) add to the ISAPI handler object: 
CheckPath Condition="&not(&and(&regexp('*.dll*',$U),&regexp('*.dll',$f)))" 
StatusCode StatusCode="404" 
 
PROPOSED ACTIONS FOR END USERS
Please check the Pi3Web server 2.0.3 installation to ensure, that all available 
patches have been applied. All updates and patches for release Pi3Web 2.0.3 can 
be downloaded here: 
 
https://sourceforge.net/project/showfiles.php?group_id=17753&package_id=16751&release_id=257565
 
 
For people, who use the web site http://www.pi3.org (and not the project web 
site at sourceforge) I added a hint/link in the download area to look for 
recent updates and patches at sourceforge. 
 
Users of older versions should either update to Pi3Web 2.0.3 (including PL2) or 
apply the proposed configuration change or delete the ISAPI examples completely 
from the ISAPI folder. 

PROPOSED ACTIONS FOR BID 32287:
The current description in the BID is inconsistent and wrong and therefore 
needs multiple updates:
- Pi3Web 2.0.3 PL2 is not vulnerable
- The issue is only valid for Windows versions of Pi3Web
- the following 3 conditions must all be fullfilled in order to produce the 
issue but are not mentioned at all:
  - Pi3Web version 2.0.3 is installed without any available patches
  - AND - Pi3Web is installed as a desktop application 
  - AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used 

- The configuration workarounds I provided a few days ago are not mentionend at 
all. Instead it is stated in the BID: "Currently we are not aware of any 
vendor-supplied patches for this issue."

- one reference to my emails to bugtraq in the 'references' tab of the BID is 
double and therefore my previous mail to bugtraq is missing in the references 
list.
--  
 
kind regards, 
Holger Zimmermann