« 
 »
Jan 29 2007

Updated IntraWeb DOS Attack Hotfix available (Update: 16.02.2007)

Posted by in Miscellaneous, tags: , ,

Last week a possible DOS attack of IntraWeb applications was reported. The first hotfix we released immediately after the report was made public may cause unwanted side effects. Please use the updated hotfix as shown in this article.

The first hotfix for the possible DOS attack may cause unexpected side effects under certain conditions.

The DOS (Denial-Of-Service) attack is based on manipulated HTTP requests. Certain manipulations – which are not explained here – may lead to unexpected behaviour of certain Delphi string routines. This caused an infinite loop in IntraWeb’s request processing. The internal fix in IntraWeb 9.0.12 was to use a “stable” variant of this string handling routine.

However, for older IntraWeb versions you have to manually apply a workaround in your application’s source code, because you don’t have access to IntraWeb’s internal request processing. The first approach of this work around was to try “healing” these manipulations. After some more research we found it to be much safer to completely ignore such manipulated requests though. The attack is based on an explicit HTTP manipulation. If manipulation occurs, then ignoring such a manipulation is “harmless”.

To protect your application against this DOS attack please follow these steps:

  1. If you have IntraWeb 9.0.12 or higher then no action is needed
  2. IntraWeb 9.0.11 an all versions below follow these steps
    1. Open your ServerController.pas unit and add an OnBeforeDispatch event handler.
    1. Add the following bold line to the event handler created in step one
    1. If you already have an OnBeforeDispatch handler then add these lines above your own code

uses HTTPApp;

procedure TIWServerController.IWServerControllerBaseBeforeDispatch(Sender:
    TObject; Request: TWebRequest; Response: TWebResponse; var Handled:
    Boolean);
begin
    if (pos(‘multipart’, Request.ContentType) = 0)
      and (pos(#$26#$26, Request.Content) > 0) then
        Request.ContentFields.Text := ”;
end;

This entry was posted on Monday, January 29th, 2007 at 1:00 and is filed under Miscellaneous. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

blog comments powered by Disqus
CodeGear Technology Partner