cbcvebase.
CVE-2008-6938
published 2009-08-11

CVE-2008-6938: Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop application and without using the Pi3Web/Conf/Intenet.pi3, allows remote attackers to cause a…

PriorityP426medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
26.48%
97.8th percentile
Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop application and without using the Pi3Web/Conf/Intenet.pi3, allows remote attackers to cause a denial of service (crash or hang) and obtain the full pathname of the server via a request to a file in the ISAPI directory that is not an executable DLL, which triggers the crash when the DLL load fails, as demonstrated using Isapi\users.txt.

Affected

5 ranges
VendorProductVersion rangeFixed in
holger_zimmermannpi3web<= 2.0.3_pl1
holger_zimmermannpi3web
holger_zimmermannpi3web
holger_zimmermannpi3web
holger_zimmermannpi3web

Detection & IOCsextracted from sources · hover to see the quote

pathIsapi\users.txt
path/isapi/users.txt
path/isapi/install.daf
path/isapi/readme.daf
  • Detect HTTP requests targeting the /isapi/ or /Isapi/ directory for non-DLL files (e.g., .txt, .daf extensions), which trigger the DoS condition on Pi3Web 2.0.3.
  • Monitor for HTTP GET requests to paths matching /isapi/*.txt or /isapi/*.daf as exploitation indicators against Pi3Web servers.
  • A successful exploit may also leak the full server path in the response — monitor for path disclosure in HTTP error responses from Pi3Web.
  • ·The vulnerability only applies when Pi3Web is installed on Windows as a desktop application AND without using the Pi3Web/Conf/Intenet.pi3 configuration file.
  • ·Mitigation involves deleting the non-DLL files from the ISAPI folder (users.txt, install.daf, readme.daf) to remove the triggerable targets.
  • ·Affected versions are Pi3Web 2.0.3 before PL2; the Metasploit module references versions 2.0.13 and earlier as vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.