lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070420064038.13961.qmail@securityfocus.com>
Date: 20 Apr 2007 06:40:38 -0000
From: dean@...ttle.com
To: bugtraq@...urityfocus.com
Subject: NeatUpload vulnerability and fix

Product: NeatUpload

Synopsis: A race condition in several versions of the NeatUpload ASP.NET component could sometimes cause portions of responses to be sent to the wrong user, potentially revealing sensitive information to unauthorized users.

Vulnerable versions: 1.2.11-1.2.16, 1.1.18-1.1.23, and trunk.379-trunk.445.

Fixed in: 1.2.17, 1.1.24, and trunk.448

Credit: Thanks to Jamie Howell with starnow.com, and Michael Teper with Elanex, Inc. (www.elanex.com), for reporting the problem and testing the fix.

Detailed description:

The problem was caused by part of a fix introduced in 1.2.11 (and 1.1.18) which caused HttpWorkerRequest.FlushResponse(bool finalFlush) to be called twice for the same HttpWorkerRequest with finalFlush=true. That probably caused ASP.NET's response buffer to be reused for another request before the response was sent.  The problem is more likely to occur when the server is handling multiple requests simultaneously.

The easiest way to exploit this vulnerability would be to make many simultaneous requests to the server, hoping to trigger the problem and receive a portion of another users response that contains sensitive information.

Recommended fix:

Users should upgrade to latest patch version for the release they are using.  

Alternatively, the following patch can be applied:

Index: DecoratedWorkerRequest.cs
===================================================================
--- DecoratedWorkerRequest.cs   (revision 442)
+++ DecoratedWorkerRequest.cs   (revision 443)
@@ -125,8 +125,9 @@
                {
                        if (Exception == null)
                        {
-                               if (log.IsDebugEnabled) log.Debug("Calling FlushResponse(" + finalFlush + ")");
-                               OrigWorker.FlushResponse(finalFlush);
+                               if (log.IsDebugEnabled) log.Debug("FlushResponse(" + finalFlush + ") called -> Calling FlushResponse(false)");
+                               // Always pass false so that ASP.NET doesn't recycle response buffers while they are still in use.
+                               OrigWorker.FlushResponse(false);
                        }
                }




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ