Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln

Re: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln

From: Holger Zimmermann <zimpel_at_users.sourceforge.net>
Date: 30 Nov 2004 20:31:42 -0000
('binary' encoding is not supported, stored as-is) In-Reply-To: <20020310042345.5422.qmail_at_mail.securityfocus.com>

>To see the webroot directory just simply cause a 404
>error:
>
>http://pi3web-host.com/fake_page

This is caused by the usage of the default configuration for the wrong purpose. If you look into the configuration examples in the installation package, there's a configuration file Internet.pi3 (I think the name is self-explaining), which uses plain html error pages and not the more talkative SSI pages, as in the default configuration.
The default configuration has rather been made for web development and feature demonstration so this IMO has never been a security problem. Nevertheless I provided a checkbox in the administration client in order to switch on verbose error messages explicitely in Pi3Web 2.0.1.

>To view files on the web server that you are not
>supposted to
>be seen do something like:
>
>http://pi3web-host.com/*.extension

This has (afaik) never been reproduced until today. I retested it multiple times using older and recent versions and always got a 404 status code in the response as expected in that case.
--
regards,
Holger Zimmermann
Received on Dec 01 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]