I have found that a LabVIEW application running the Web Server can be crashed from any machine that has access to it. The Browser Access List denial of an IP address will not prevent this crash.
I have reported the details and National Instruments has confirmed the report and responded with this: "Crashing LabVIEW Through the G Web Server Using TCP VIs"
http://digital.ni.com/public.nsf/websearch/4C3F86E655E5389886256BA00064B22F?OpenDocument. It turns out that this crash will only occur if the web server logging is enabled.
Aborting a server is generally categorized as a Denial of Service (DOS) attack. In this case, it is the LabVIEW application itself that aborts, web server and all. This can be more serious than the usual DOS if the application is perf
orming some other important activity by running VIs. They would unexpectedly abort along with the rest of LabVIEW.
This attack does not enable reading or writing drives, or otherwise controlling the host machine, the vulnerabilities that you asked about. I have even tried to trick the server into getting pages outside of its root directory without success.
If you are running a LabVIEW Web Server, you should certainly disable web server logging. If you could not tolerate an unexpected abort in some LabVIEW VIs that you are running and want to be even safer, I recommend that you do not run them in the same LabVIEW application that is running the LabVIEW Web Server. The principle here is compartmentalization.
On one hand, the small number of deployed servers, relative to other more numerous and attractive targets, has not attracted undesired attention. So you're pretty safe now. On the other hand, LabVIEW is growing and moving to the Internet, and LabVIEW systems control machin
es and chemical processes, not merely data and dollars. Think about the risks as well as the convenience of using the web.
Steve Zins -- steve @ iLabVIEW . com
