Re: [Pi3web-users] DOS Vulnerability?
Brought to you by:
zimpel
Menu
▾
▴
Re: [Pi3web-users] DOS Vulnerability?
|
From: <zi...@t-...> - 2002-01-18 23:53:04
|
Hi all, I tried to figure out this issue, which was originally reported in the bugtraq mailing list http://www.securityfocus.com/archive/1/250126 a few days ago and found out the following: There's really a problem with Pi3Web 2.0 CGI handler for physical paths, which are exactly MAX_PATH (260) bytes long and end with illegal (series of) dot(s). The problem does exist due to a specific behaviour of the Windows API, which isn't handled correctly and will crash the server reproducible. - The problem is limited to Pi3Web 2.0 on Win32 only. - Linux and Solaris aren't affected. - Older versions of Pi3Web aren't affected. - Configurations without CGI aren't affected. The problem could be reproduced by using the url from the attached file in your browser. May be you vary the number of dots a bit (increase and/or decrease) to see what happens. A patch fixing the problem is available at sourceforge from now: http://sourceforge.net/tracker/index.php?func=detail&aid=505583&group_id=17753&atid=317753 This .ZIP file contains 2 DLL's which must be replaced in Pi3Web/bin. Don't forget to stop Pi3Web before you apply the patch and restart the server afterwards. A configuration based workaround is also possible by addition of the following line in object Scripts, e.g. in Pi3Web/Conf/Config.pi3: <Object> Name Scripts Class FlexibleHandlerClass Condition "&cmp(&dblookup(response,string,ObjectMap),Scripts)" # line added to check for script names ending on '.' CheckPath Condition="®exp(*.,$z)" StatusCode StatusCode="404" ... Please report, if the problem could be reproduced before you applied the patch and if it was safely solved afterwards. Only if interested - look into the details: The Windows API does accept filenames ending on (series of) '.' in functions like FindExecutable() or FindFirstFile(). If the path name is longer than MAX_PATH, an error will be raised anyway. The problem arised due to bypassing the check for file existance, which uses FindFirstFile() and the subsequent behaviour when trying to resolve a file association using FindExecutable() in the CGI handler. -- regards Holger TMTOWTDI - There's More Than One Way To Do It - Perl motto ---------------------------------------------------------- Holger 'zimpel' Zimmermann ---------------------------------------------------------- Wendishain Germany ---------------------------------------------------------- http://home.t-online.de/home/zimpel/ http://pi3web.sourceforge.net/ mailto:zi...@t-... ---------------------------------------------------------- Bradford Bruce schrieb: > > http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0015.html > > _______________________________________________ > Pi3web-users mailing list > Pi3...@li... > https://lists.sourceforge.net/lists/listinfo/pi3web-users |
