| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Jan 2007 07:39:03 +0100 From: "C0r3 1mp4ct" <c0r31mp4ct@...il.com> To: bugtraq@...urityfocus.com Subject: Re: AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability Please look at Olaf's blog at AToZed to decide if the bug was fake or real! http://blogs.atozed.com/Olaf/ C0r31mp4ct On 1/23/07, C0r3 1mp4ct <c0r31mp4ct@...il.com> wrote: > Type: Deniel of Service > Severity: Critical > Title: AToZed Software IntraWeb Component for Borland Delphi and Kylix > DoS vulnerability > Date: January 23, 2007 > > Synopsys > -------- > > A DoS vulnerability exists in the IntraWeb Component of AToZed Software. > > Background > --------- > > IntraWeb is a RAD component for Borland Delphi and Kylix by AToZed Software, > which allows developers to rapidly develop webapplication. > This component is commonly used by Borland developers internationally. > > Description > ----------- > > DoS conditions occurs, when a specially crafted HTTP request is sent > to the webapplication. > After the request, the affected thread enters into an infinte loop, and hangs. > Under IIS 5.x, the thread will never be stopped. > Under IIS 6 the webserver automatically stops the thread after the > configured amount of time, or CPU usage. > > Impact > ------ > > An attack can cause the webapplication to slow down, and after more > specially crafted request, to stop processing requests. > > WorkAround > ---------- > > There is no vendor supplied workaround for the problem at this time. > > A possible workaround can be, to filter the request body for the > special request, and repair it. > It can be achieved, by overriding the function called > "OnBeforeDispatch" of the TIWServerController object, and repair the > request, by changing the "Request.Content" field. > > Affected versions > ----------------- > > IntraWeb 8.0 and lower versions > > Vulnerability timeline > ---------------------- > > 2006.08. - Vendor notified, but no answer > 2007.01.23 - Vulnerability publicly available > > Discovery is credited to: C0r31mp4ct >
Powered by blists - more mailing lists