John Roy Pi3Web Path Disclosure Vulnerability

John Roy Pi3Web is a standard web server which includes CGI and ISAPI support. Pi3Web uses multithreading to handle system requests. Pi3Web is available for Windows, Linux and Solaris.

It has been reported that Pi3Web discloses the absolute path to the wwwroot directory when a non-existent page is requested. This is known to be a problem in the default configuration. Pi3Web may easily be configured to not display error messages to arbitrary web users.

This may enable an attacker to gather potentially sensitive information about a host running the default configuration of the software.

This issue was reported for the Microsoft Windows version of the software. Versions that run on other platforms may also be affected.


Privacy Statement
Copyright 2010, SecurityFocus