IntraWeb on Bugtraq – No Panic! (Update)
Posted by in Miscellaneous, tags: Delphi, IntraWeb, ServerControllerYesterday IntraWeb was mentioned on Bugtraq, the security mailing list which informs about possible issues of any type of computer software. The mentioned IntraWeb issue currently has been isolated and a fix is provided.
On Bugtraq there is a report about a possible denial of service (DOS) attack of IntraWeb applications:
http://www.securityfocus.com/archive/1/457758
Do not panic! See this article for a hotfix.
We have never been contacted by the author of this report – in contrast to what is said in this report. Also the suggested workaround is technically invalid:
Description
———–
DoS conditions occurs, when a specially crafted HTTP request is sent to the webapplication.
After the request, the affected thread enters into an infinte loop, and hangs.
Of course, due to the nature of software, we can not gurantee that such a vulnerability does not exist. We have contacted the author to send us the exact description to prove that statement.
WorkAround
———-
There is no vendor supplied workaround for the problem at this time.
A possible workaround can be, to filter the request body for the special request, and repair it.
It can be achieved, by overriding the function called “OnBeforeDispatch” of the TIWServerController object, and repair the request, by changing the “Request.Content” field.
Request.Content is a read-only property of TWebRequest (which is not an IntraWeb class, but is introduced by Delphi’s WebBroker architecture), thus can not be changed as the author suggests.
Both, not having informed us and supplying an invalid/incomplete workarround makes this report look like a fake, published to blame IntraWeb.
In the meantime I was able to contact the original author (who still did not unveil his real name – I only know his nick mane “Core Impact”), and he finally provided the necessary steps how to reproduce the issue he observed.
Entries (RSS)