Bugtraq mailing list archives

Re: Pi3Web Webserver v2.0 Buffer Overflow Vulnerability

From: Holger Zimmermann <zimpel () users sourceforge net>
Date: 21 Jan 2002 19:08:32 -0000


In-Reply-To: <000b01c19c86$1f3c97e0$3bc283d9@ts>

&gt;Received: (qmail 17088 invoked from network); 14 Jan 2002 17:51:37 -0000
&gt;Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) 
(66.38.151.26)
&gt;  by mail.securityfocus.com with SMTP; 14 Jan 2002 17:51:37 -0000
&gt;Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
&gt;    by outgoing.securityfocus.com (Postfix) with QMQP
&gt;    id 011858F2FE; Mon, 14 Jan 2002 09:59:27 -0700 (MST)
&gt;Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
&gt;Precedence: bulk
&gt;List-Id: &lt;bugtraq.list-id.securityfocus.com&gt;
&gt;List-Post: &lt;mailto:bugtraq () securityfocus com&gt;
&gt;List-Help: &lt;mailto:bugtraq-help () securityfocus com&gt;
&gt;List-Unsubscribe: &lt;mailto:bugtraq-unsubscribe () securityfocus com&gt;
&gt;List-Subscribe: &lt;mailto:bugtraq-subscribe () securityfocus com&gt;
&gt;Delivered-To: mailing list bugtraq () securityfocus com
&gt;Delivered-To: moderator for bugtraq () securityfocus com
&gt;Received: (qmail 11602 invoked from network); 13 Jan 2002 23:05:57 -0000
&gt;Message-ID: &lt;000b01c19c86$1f3c97e0$3bc283d9@ts&gt;
&gt;Repl

Hi,

I tried to figure out this issue, which was originally reported in the bugtraq
mailing list http://www.securityfocus.com/archive/1/250126 a few days ago and
found out the following:

There's really a problem with Pi3Web 2.0 CGI handler for physical paths, which
are exactly MAX_PATH (260) bytes long and end with illegal (series of) dot(s).
The problem does exist due to a specific behaviour of the Windows API, which
isn't handled correctly and will crash the server reproducible.

- The problem is limited to Pi3Web 2.0 beta 1&amp;2 on Win32.
- Linux and Solaris versions aren't affected at all.
- Older versions of Pi3Web aren't affected.
- Configurations without CGI aren't affected.

The problem could be reproduced by using the test case described
in the original report. May be you've to vary the number of dots a bit
(increase and/or decrease) dependant on the length of the physical path.

A patch fixing the problem is available at sourceforge from now:
http://sourceforge.net/tracker/index.php?func=detail&amp;aid=505583&amp;group_id=17753&amp;ati
d=317753

This .ZIP file contains 2 DLL's, which must be replaced in Pi3Web/bin.
Don't forget to stop Pi3Web before you apply the patch and restart the
server afterwards.

A configuration based workaround is also possible by addition of the following
line in object Scripts, e.g. in Pi3Web/Conf/Config.pi3:

&lt;Object&gt;
        Name Scripts
        Class FlexibleHandlerClass
        Condition &quot;&amp;cmp(&amp;dblookup(response,string,ObjectMap),Scripts)&quot;
        # line added to check for script names ending on '.'
        CheckPath Condition=&quot;&amp;regexp(*.,$z)&quot; StatusCode StatusCode=&quot;404&quot;
        ...

Please report, if the problem could be reproduced before you applied the patch and
if it was safely solved afterwards.
-- 
regards
Holger Zimmermann

Current thread:

Pi3Web Webserver v2.0 Buffer Overflow Vulnerability Tamer Sahin (Jan 14)
- <Possible follow-ups>
- Re: Pi3Web Webserver v2.0 Buffer Overflow Vulnerability Holger Zimmermann (Jan 21)