Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln

From: Tekno pHReak (tek@superw00t.com)
Date: 03/10/02


Date: 10 Mar 2002 04:23:45 -0000
From: Tekno pHReak <tek@superw00t.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

Pi3Web/2.0.0 File-Disclosure/Path Disclosure
***************************************************
Vulnerability
*************

Discovered by: Teknophreak of Malloc()
**************************************
Date: March 9 2002
*******************
Contact: tek@superw00t.com
***************************

Pi3Web is a Webserver available for multiple
Microsoft Windows
platforms.


There are multiple disclosure flaws within the
webserver
that may assist an attacker in performing more
concentrated
attacks against the server and also can allow the
disclosure
of sensitive files on the webserver.

To see the webroot directory just simply cause a 404
error:

http://pi3web-host.com/fake_page


To view files on the web server that you are not
supposted to
be seen do something like:

http://pi3web-host.com/*.extension




Quick Fix:
-------------

Don't use it or wait for vendor patch.