SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Pi3Web Vendors:   Roy, John
Pi3Web Server Reveals Directory Path Information And May Execute Arbitrary Code
SecurityTracker Alert ID:  1000941
SecurityTracker URL:  http://securitytracker.com/id/1000941
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 16 2001
Original Entry Date:  Feb 16 2001
Impact:   Denial of service via network, Disclosure of system information


Description:   Pi3Web v1.0.1 is a freeware web server available from http://www.zdnet.com and other sources. Two vulnerabilities are reported. One is a buffer overflow that can cause the server to be remotely crashed. The other is a flaw that causes the physical path of the web server's root directory to be displayed when a "file not found (404)" error is encountered.

A vulnerability reportedly exists in the server's internal ISAPI handling procedures which results in a buffer overflow. The buffer overflow can cause the server to crash. [Although it has not been demonstrated, it may also be possible to remotely execute arbitrary code.]

The server also reveals the physical path of the web root upon encountering a 404 error.

An example URL that overflows a buffer in Pi3Web's executable is:

http://localhost/isapi/tstisapi.dll?[a lot of 'A's]

To discover the physical path of the web root, just use any URL for which there is no actual file on the web server, such as:

http://localhost/[any string which causes a 404 error]

Impact:   The web server can be caused to crash via the network. Also, the web server's physical path can be learned via the network.
Solution:   The author of the report indicates that the buffer overflow can be prevented by deleting the ISAPI module named 'tstisapi.dll'. No solution was available for the web path disclosure at the time of this entry.
Cause:   Boundary error, Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Vulnerabilities in Pi3Web Server


--Hushpart_boundary_iBUaaFrYafDTnNaSxCyZJYmfHFtUVaSf
Content-type: text/plain

----- Begin Hush Signed Message from joetesta@hushmail.com -----

Vulnerabilities in Pi3Web Server



    Overview

Pi3Web v1.0.1 is a web server available from http://www.zdnet.com.  A
vulnerability exists in the server's internal ISAPI handling procedures
which results in a buffer overflow.  The server also reveals the physical
path of the web root upon encountering a 404 error.



    Details


Here is an example URL that overflows a buffer in Pi3Web's executable:

        http://localhost/isapi/tstisapi.dll?[a lot of 'A's]

This results in the following crash:

ENHPI3 caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
EAX=00000001 CS=017f EIP=41414141 EFLGS=00010206
EBX=0123d1b0 SS=0187 ESP=041df3b0 EBP=041dfed4
ECX=00000000 DS=0187 ESI=041df3f0 FS=3e6f
EDX=00000000 ES=0187 EDI=00000000 GS=0000
Bytes at CS:EIP:

Stack dump:
41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141
41414141 00bb0b2c 00000000 05611030


To discover the physical path of the web root:

        http://localhost/[any string which causes a 404 error]

The server responds with:

        The original URL path was:
        /sadfasdf

        The mapped physical path was:
        C:\PI3WEB\WebRoot\sadfasdf




    Solution

The buffer overflow can be prevented by deleting the ISAPI module named
'tstisapi.dll'.  There is no quick solution for the web root disclosure.



    Vendor Status

The author, John Roy, was contacted via <jproy@WORLD.STD.COM> on Monday,
February 5, 2001.  No reply was received.



    - Joe Testa  ( e-mail: joetesta@hushmail.com / AIM: LordSpankatron )


----- Begin Hush Signature v1.3 -----
B2izikZHXZBSe741WqgWmHVTt5g5goAcqJzAz0tPWIrMzvB0fUWonV8Q6SUq4x4PTs+t
Fqyz4+UGHO1T/IunO4J4uML1McFFFDLqSXJDyeZYd6ZvryQzRY+6WEeaBEVFFLI5X+yq
F/nobN22dvqdFHrJ9PVBdYa88NieXkpAY1el3gHXiaGqYcWM1lMoub5WttkwNx9Irzpb
CJlaASStNBTRBkSn84x5YkgDOgiANl7VafyNamn3X3uhJ5SHghXnUCvpueGKj6Yna9Dv
wKHdyV3pg2r/UiFOfx7fy4BC5L8VOSsQZl420F1rBLxdwpnqqU3g8yiTsSs2HxG3arIF
/xxa9llCxo+zKaGppx/6HGIhF8k2S6qfJcYlgmd5YhdQWMuH0A/XQhqxIGNxgJ6nY7mU
qbAW7gyoXV0OFYQivjHzq6zaLE8Q7uGqBodkF/CkvbuXSAeENgECSew5bz2EblGV1Ymb
6VlmOeX5w964o01o2/2v+oFNItGYbD9N9LkHNSwNjwH4
----- End Hush Signature v1.3 -----
\n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n
--Hushpart_boundary_iBUaaFrYafDTnNaSxCyZJYmfHFtUVaSf--


IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your
 open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC