skip to navigation. Skip to the content.
> Advisories > rt-sa-2005-010 vertical divider

Pico Server (pServ) Remote Command Injection

RedTeam found a remote command injection in Pico Server (pServ) which results
in a remote attacker being able to issue arbitrary commands on the server.


Product: Pico Server (pServ)
Affected Version: 3.2(verified), <=3.2 probably too
Immune Version: 3.3
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-Status: new version available
Advisory-Status: published
CVE: CAN-2005-1365
( #)

Pico Server is a small web server. It is meant to be portable and

* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer)
* forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behavior, the performance and the feature set so
to be able to fit better the the requisites.

If pServ is compiled with support for CGI-BIN a remote attacker is able to
execute any program (with pServ permissions) on the server by traversing out
of the cgi-bin directory.

More Details

pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as
To avoid that a user traverses out of the cgi-bin using traditional /../,
pServ parses the requested url. It increases a counter by one if it parses a
/ (new subdir) and decreases the counter if ist parses /../. If the counter
goes below zero the url is rejected as illegal. Unfortunately an attacker can
avoid beeing rejected, just using enough / in the url (without directory
names between them), so he can traverse out of the cgi-bin by adding some
/../ . This lets the attacker execute any program on the server (with pServ

Proof of Concept

The following url downloads a script (or executable) to the server:

This is how the script can be executed afterwards:


The only workaround is to compile pServ without support for cgi-bin.


The Developers have released Version 3.3. This version should fix the
problem. The changes have not been tested by RedTeam, yet.

Security Risk

The security risk is rated very high because a remote attacker can use this
flaw to execute arbitrary code on the server (with the permissions of pServ).


2005-04-29 found 
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 new version released. Advisory published
2009-05-08 Updated Advisory URL


RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at