Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln
From: Holger Zimmermann <zimpel () users sourceforge net>
Date: 30 Nov 2004 20:31:42 -0000

In-Reply-To: <20020310042345.5422.qmail () mail securityfocus com>

To see the webroot directory just simply cause a 404 
error:

http://pi3web-host.com/fake_page

This is caused by the usage of the default configuration for the wrong purpose. If you look into the configuration 
examples in the installation package, there's a configuration file Internet.pi3 (I think the name is self-explaining), 
which uses plain html error pages and not the more talkative SSI pages, as in the default configuration.
The default configuration has rather been made for web development and feature demonstration so this IMO has never been 
a security problem. Nevertheless I provided a checkbox in the administration client in order to switch on verbose error 
messages explicitely in Pi3Web 2.0.1.

To view files on the web server that you are not 
supposted to
be seen do something like:

http://pi3web-host.com/*.extension

This has (afaik) never been reproduced until today. I retested it multiple times using older and recent versions and 
always got a 404 status code in the response as expected in that case.
--
regards,
Holger Zimmermann


  By Date           By Thread  

Current thread:
  • Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln Holger Zimmermann (Dec 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]