Re: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

[zimpel () t-online de]

I could finally reproduce the problem, when I used the Pi3Web 2.0.3 release without any patches. After applying the 
available patches in the intended incremental) order to this installation, with Pi3Web 2.0.3 PL2 the issue disappeared. 
 
It seems the creator of the original report has not used a properly maintained Pi3Web 2.03 with PL2 applied. The 
required patch PL2 is publically available since April 2007. 
 
FINAL RESULT 
 
No vulnerability: 
- with a properly maintained Pi3Web version 2.0.3 with incremental patches up to PL2 applied 
- OR - when Pi3Web is installed as a Windows service 
- OR - when configuration template Pi3Web/Conf/Intenet.pi3 is used 
 
Vulnerability (remote DoS in the reported way) confirmed: 
- Pi3Web version 2.0.3 without any available patches installed 
- AND - Pi3Web is installed as a desktop application 
- AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used 
 
Normally all of the three topics have to be considered, when the server is installed as an remotely accessible 
(internet) server. 
 
Older versions may be vulnerable under the same condition (installation as a desktop application) but a number of 
indpendent solutions are available: 
 
- use configuration template internet.pi3 as basis to setup own internet servers 
- delete the ISAPI (and other!) examples manually 
- apply one (and only one) of the following configuration changes: 
 
1.) supplement the mapping directive for ISAPI: 
Mapping Condition="&or(&regexp('*.dll*',$U),&regexp('*.dll',$f))" ISAPIMapper From="/isapi/" To="Isapi\" 
 
2.) add to the ISAPI handler object: 
CheckPath Condition="&not(&and(&regexp('*.dll*',$U),&regexp('*.dll',$f)))" StatusCode StatusCode="404" 
 
PROPOSED ACTIONS FOR END USERS
Please check the Pi3Web server 2.0.3 installation to ensure, that all available patches have been applied. All updates 
and patches for release Pi3Web 2.0.3 can be downloaded here: 
 
https://sourceforge.net/project/showfiles.php?group_id=17753&package_id=16751&release_id=257565 
 
For people, who use the web site http://www.pi3.org (and not the project web site at sourceforge) I added a hint/link 
in the download area to look for recent updates and patches at sourceforge. 
 
Users of older versions should either update to Pi3Web 2.0.3 (including PL2) or apply the proposed configuration change 
or delete the ISAPI examples completely from the ISAPI folder. 

PROPOSED ACTIONS FOR BID 32287:
The current description in the BID is inconsistent and wrong and therefore needs multiple updates:
- Pi3Web 2.0.3 PL2 is not vulnerable
- The issue is only valid for Windows versions of Pi3Web
- the following 3 conditions must all be fullfilled in order to produce the issue but are not mentioned at all:
  - Pi3Web version 2.0.3 is installed without any available patches
  - AND - Pi3Web is installed as a desktop application 
  - AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used 

- The configuration workarounds I provided a few days ago are not mentionend at all. Instead it is stated in the BID: 
"Currently we are not aware of any vendor-supplied patches for this issue."

- one reference to my emails to bugtraq in the 'references' tab of the BID is double and therefore my previous mail to 
bugtraq is missing in the references list.
--  
 
kind regards, 
Holger Zimmermann