Followup to MetaInfo vulnerabilities

jeffWIRETRIP.NET

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jim Bourne: "Re: SECURITY: redhat, the saga continues.."
• Previous message: Andy Polyakov: "Re: Sun libnsl lameness"

Shortly after releasing the public bugtraq post, I was contacted by
MetaInfo regarding the problem and was told that they had just put a patch
online, available, with instructions, at www.metainfo.com/download.

While this patch corrected the problem of transversal into higher levels
of the filesystem, it was still open to another kind of DoS attack. If an
attacker was to send a GET request to MetaWeb server that contained around
8K of characters, the MetaWeb server process would spike to 100% CPU
utilization, and stay there indefinately.

Example:

http://mail.server.com:5000/index.htm?<insert 8K of characters here>

This would put the server in an unstable state; now, a regular request
will cause to to spike and hang:

http://mail.server.com:5000/

MetaInfo was contacted about this problem as well; they released a patch
to fix this problem. You can download a copy from www.forristech.com, or
check to see if it's available on MetaInfo's site yet.

-Jeff Forristal

• Next message: Jim Bourne: "Re: SECURITY: redhat, the saga continues.."
• Previous message: Andy Polyakov: "Re: Sun libnsl lameness"