IntraWeb DOS Hotfix available (Update2)
Posted by in Miscellaneous, tags: Delphi, IntraWeb, ServerControllerThe possible DOS attack which was reported a few hours ago was verified and is fixed in IntraWeb 9.0 (soon to be released). For existing applications please apply the code as mentioned in this article.Update 2: Please see the updated workaround.
The possible DOS attack of IntraWeb applications as mentioned earlier today, has been verified by our engineers. The source of it is an “ugly behavior” of a Delphi routine, which may cause an infinite loop in IntraWeb applications under certain conditions.
I’m not going to demonstrate how to reproduce this attack to avoid hangs of your applications, just because of “too courious” people “testing” your applications.
To protect your application against this DOS attack please follow these steps:
- Open your ServerController.pas unit and add an OnBeforeDispatch event handler.
- Add the following bold line to the event handler created in step one
- If you already have an OnBeforeDispatch handler then add these lines above your own code
procedure TIWServerController.IWServerControllerBaseBeforeDispatch(Sender:
TObject; Request: TWebRequest; Response: TWebResponse; var Handled:
Boolean);
begin
while pos(#$D#$A#$D#$A, Request.ContentFields.Text) > 0 do
Request.ContentFields.Text := StringReplace(Request.ContentFields.Text, #$D#$A#$D#$A, #$D#$A, [rfReplaceAll]);
end;
Update: Please notice that there is a while loop now, which extends the first hot fix solution.
The next IntraWeb 9.0 build (9.0.12) will have this fixed internally.
We care about about our customers and try to provide solutions for situations like the one. Please contact us first though, if you think you discovered something which should be addressed immediately. Sending reports to “Bugtraq” or any other mailing lists which are not operated by Atozed may cause unnecessary delays. As you have seen, we have provided a solution within hours after we found “ourself” on Bugtrac.
Entries (RSS)