mailing list archives
Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln
From: Holger Zimmermann <zimpel () users sourceforge net>
Date: 30 Nov 2004 20:31:42 -0000
In-Reply-To: <20020310042345.5422.qmail () mail securityfocus com>
To see the webroot directory just simply cause a 404
This is caused by the usage of the default configuration for the wrong purpose. If you look into the configuration
examples in the installation package, there's a configuration file Internet.pi3 (I think the name is self-explaining),
which uses plain html error pages and not the more talkative SSI pages, as in the default configuration.
The default configuration has rather been made for web development and feature demonstration so this IMO has never been
a security problem. Nevertheless I provided a checkbox in the administration client in order to switch on verbose error
messages explicitely in Pi3Web 2.0.1.
To view files on the web server that you are not
be seen do something like:
This has (afaik) never been reproduced until today. I retested it multiple times using older and recent versions and
always got a 404 status code in the response as expected in that case.
- Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln Holger Zimmermann (Dec 01)