Olaf’s Thoughts About Development

Delphi Programming, .NET Philosophy, Web development and more …

24 01 2007

IntraWeb on Bugtraq - No Panic! (Update)

Posted by: in Miscellaneous, tags: Delphi, IntraWeb, ServerController

Yesterday IntraWeb was mentioned on Bugtraq, the security mailing list which informs about possible issues of any type of computer software. The mentioned IntraWeb issue currently has been isolated and a fix is provided.

On Bugtraq there is a report about a possible denial of service (DOS) attack of IntraWeb applications:

http://www.securityfocus.com/archive/1/457758

Do not panic! See this article for a hotfix.

We have never been contacted by the author of this report - in contrast to what is said in this report. Also the suggested workaround is technically invalid:

Description
———–

DoS conditions occurs, when a specially crafted HTTP request is sent to the webapplication.
After the request, the affected thread enters into an infinte loop, and hangs.

Of course, due to the nature of software, we can not gurantee that such a vulnerability does not exist. We have contacted the author to send us the exact description to prove that statement.

WorkAround

———-

There is no vendor supplied workaround for the problem at this time.

A possible workaround can be, to filter the request body for the special request, and repair it.

It can be achieved, by overriding the function called “OnBeforeDispatch” of the TIWServerController object, and repair the request, by changing the “Request.Content” field.

Request.Content is a read-only property of TWebRequest (which is not an IntraWeb class, but is introduced by Delphi’s WebBroker architecture), thus can not be changed as the author suggests.

Both, not having informed us and supplying an invalid/incomplete workarround makes this report look like a fake, published to blame IntraWeb.

In the meantime I was able to contact the original author (who still did not unveil his real name - I only know his nick mane “Core Impact”), and he finally provided the necessary steps how to reproduce the issue he observed.

We will carefully listen to any reports and if somebody finds anything - just contact us/me! We care of our customers and will provide a solution asap - if there should be a real issue! See the hotfix article!

This entry was posted on Wednesday, January 24th, 2007 at 1:00 and is filed under Miscellaneous.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Viewing 2 Comments

Lenn Dolling 2 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Has this issue been resolved for intraweb 10 I wonder....

Lenn Dolling
Skyboard Software
Skyboard.Cn

reply edit reblog flag record video comment

http://www.skyboard.cn

Olaf Monien 2 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

This has been resolved in IW 9.0 (I'd have to check the history log, to see find out which minor version). In other words IW 10 should not have that issue either.

reply edit reblog flag record video comment

1 /people/omonien/ /people/omonien/following/ http://www.monien.net/blog pub/dir/Olaf/Monien