|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Richard M. Smith (rms
PRIVACYFOUNDATION.ORG)Date: Tue Apr 17 2001 - 06:32:57 CDT
Hello,
>>> Microsoft ISA server includes a web proxy component
>>> (W3PROXY.EXE) that is used for both the "publishing"
>>> of internal web servers to the external network
>>> and for proxying of internal requests to external web servers.
>>> Sending a URL with a long pathname component to this proxy
>>> will cause it to terminate with an access violation error.
>>> For example, sending the (valid) HTTP request:
>>> GET http://hostname/aaa[3000 more occurences of 'a'] HTTP/1.0\n\n
>>> to port 80 on the ISA Server's external interface will cause
>>> W3PROXY.EXE to terminate with an access violation.
I don't have access to an ISA server for testing, but this DoS attack
might also be exploitable from an HTML email message by
an outsider using the following <IMG> tag embedded in
a message:
<img src=http://hostname/aaa[3000 more occurences of 'a']>
Another method of generating the DoS attack would be to
use JavaScript to create the long URL and then setting
the "src" property of an Image object. This code could
also be embedded in an HTML email message.
Richard
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]