CVE-2008-6938

Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop application and without using the Pi3Web/Conf/Intenet.pi3, allows remote attackers to cause a denial of service (crash or hang) and obtain the full pathname of the server via a request to a file in the ISAPI directory that is not an executable DLL, which triggers the crash when the DLL load fails, as demonstrated using Isapi\users.txt.

Published: Aug 11, 2009
Updated: Apr 13, 2023
CVE: CVE-2008-6938
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
holger_zimmermann / pi3web	1.0.1	1.0.1.x
holger_zimmermann / pi3web	2.0	2.0.x
holger_zimmermann / pi3web	2.0.2_beta_1	2.0.2_beta_1.x
holger_zimmermann / pi3web	-	2.0.3_pl1.x
holger_zimmermann / pi3web	2.0.1	2.0.1.x

http://archives.neohapsis.com/archives/bugtraq/2008-11/0171.html
http://secunia.com/advisories/32696
http://www.osvdb.org/49998
http://www.osvdb.org/49999
http://www.securityfocus.com/archive/1/498575
http://www.securityfocus.com/archive/1/498602
http://www.securityfocus.com/archive/1/498770
http://www.securityfocus.com/archive/1/498771
http://www.securityfocus.com/archive/1/498865
http://www.securityfocus.com/bid/32287
https://exchange.xforce.ibmcloud.com/vulnerabilities/46600
https://www.exploit-db.com/exploits/7109

Vulnerability Database

290,301

CVE-2008-6938