[Pi3web-devel] Re: [Pi3web-users] DOS Vulnerability?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I tried to figure out this issue, which was originally reported in the bugtraq
mailing list http://www.securityfocus.com/archive/1/250126 a few days ago and
found out the following:

There's really a problem with Pi3Web 2.0 CGI handler for physical paths, which
are exactly MAX_PATH (260) bytes long and end with illegal (series of) dot(s).
The problem does exist due to a specific behaviour of the Windows API, which
isn't handled correctly and will crash the server reproducible.

- The problem is limited to Pi3Web 2.0 on Win32 only.
- Linux and Solaris aren't affected.
- Older versions of Pi3Web aren't affected.
- Configurations without CGI aren't affected.

The problem could be reproduced by using the url from the attached file
in your browser. May be you vary the number of dots a bit (increase and/or
decrease) to see what happens.

A patch fixing the problem is available at sourceforge from now:
http://sourceforge.net/tracker/index.php?func=detail&aid=505583&group_id=17753&atid=317753

This .ZIP file contains 2 DLL's which must be replaced in Pi3Web/bin.
Don't forget to stop Pi3Web before you apply the patch and restart the
server afterwards.

A configuration based workaround is also possible by addition of the following
line in object Scripts, e.g. in Pi3Web/Conf/Config.pi3:

<Object>
	Name Scripts
	Class FlexibleHandlerClass
	Condition "&cmp(&dblookup(response,string,ObjectMap),Scripts)"
	# line added to check for script names ending on '.'
	CheckPath Condition="&regexp(*.,$z)" StatusCode StatusCode="404"
	...

Please report, if the problem could be reproduced before you applied the patch and
if it was safely solved afterwards.

Only if interested - look into the details:
The Windows API does accept filenames ending on (series of) '.' in functions
like FindExecutable() or FindFirstFile(). If the path name is longer than
MAX_PATH, an error will be raised anyway. The problem arised due to bypassing
the check for file existance, which uses FindFirstFile() and the subsequent
behaviour when trying to resolve a file association using FindExecutable() in
the CGI handler.
-- 
regards
Holger

TMTOWTDI - There's More Than One Way To Do It - Perl motto
----------------------------------------------------------
Holger 'zimpel' Zimmermann 
----------------------------------------------------------
Wendishain                    
Germany                       
----------------------------------------------------------
http://home.t-online.de/home/zimpel/
http://pi3web.sourceforge.net/

mailto:zi...@t-...
----------------------------------------------------------

Bradford Bruce schrieb:
> 
> http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0015.html
> 
> _______________________________________________
> Pi3web-users mailing list
> Pi3...@li...
> https://lists.sourceforge.net/lists/listinfo/pi3web-users