I could finally reproduce the problem, when I used the Pi3Web 2.0.3 release
without any patches. After applying the available patches in the intended
incremental) order to this installation, with Pi3Web 2.0.3 PL2 the issue
disappeared.
It seems the creator of the original report has not used
See http://secunia.com/advisories/32696/:
The issue does only exist, when Pi3Web is installed as an interactive desktop
application. However it has not been reproduced on my test system until now.
There are a lot of information missing in the original report, which may have
influence on the occu
successfully tested.
http://secunia.com/Advisories/32696/
tested on last version :
note: Successful exploitation requires that Pi3Web is installed as a Desktop
application.
Still wrong, No DoS. The server responds to further requests, after the dialog
box appears:
192.168.1.5
hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1"
500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico
HTTP/1.1" 200 973
192.168
Vulnerability is confirmed on Pi3Web 2.03 PL 2. If an attacker sends a request
to one of the files in the isapi directory, the dialog box appears on the host
system. Until the OK button on the host system is pressed, Pi3Web does not
serve any requests. There is no application crash, but technica
Please remove this wrong report (no crash happens as reported and Pi3Web
version 2.013 doesn't exist at all!!!) and inform all sites copying information
from your site about the removal.
I am very disapointed about the fact, that such reports are published without
contacting software vendors
