skip to navigation. Skip to the content.
> Advisories > rt-sa-2005-010 vertical divider

Pico Server (pServ) Remote Command Injection

RedTeam found a remote command injection in Pico Server (pServ) which results in a remote attacker being able to issue arbitrary commands on the server. 


Product: Pico Server (pServ)
Affected Version: 3.2(verified), <=3.2 probably too
Immune Version: 3.3
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-Status: new version available
Advisory-Status: published
CVE: CAN-2005-1365
( #)

Pico Server is a small web server. It is meant to be portable and configurable.

* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer) * forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behavior, the performance and the feature set so to be able to fit better the the requisites.

If pServ is compiled with support for CGI-BIN a remote attacker is able to execute any program (with pServ permissions) on the server by traversing out of the cgi-bin directory.

More Details

pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as cgi-scripts.
To avoid that a user traverses out of the cgi-bin using traditional /../, pServ parses the requested url. It increases a counter by one if it parses a / (new subdir) and decreases the counter if ist parses /../. If the counter goes below zero the url is rejected as illegal. Unfortunately an attacker can avoid beeing rejected, just using enough / in the url (without directory names between them), so he can traverse out of the cgi-bin by adding some /../ . This lets the attacker execute any program on the server (with pServ permissions).

Proof of Concept

The following url downloads a script (or executable) to the server:

This is how the script can be executed afterwards:


The only workaround is to compile pServ without support for cgi-bin. 


The Developers have released Version 3.3. This version should fix the problem. The changes have not been tested by RedTeam, yet. 

Security Risk

The security risk is rated very high because a remote attacker can use this flaw to execute arbitrary code on the server (with the permissions of pServ). 


2005-04-29 found 
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 new version released. Advisory published
2009-05-08 Updated Advisory URL


RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at