Bugtraq mailing list archives
WebObjects DoS
From: gdead () FORTNOCS COM (Bruce Potter)
Date: Tue, 4 Apr 2000 10:17:24 -0800
Howdy, We've found a DoS in WebObjects apps (with a possible remote exploit). So far we've found this problem in WebObjects 4.5 Developer running with the CGI-adapter and IIS 4.0 on NT 4.0 SP5. WO 4.5 Beta on Solaris 2.6 with Netscape Enterprise isn't vulnerable. Overview: If you send a large (4.1K) header variable to the webobjects app it will core (fires up doctor watson). This may result in a remotely executable exploit as the user running IIS, but I haven't taken the time to check Implementation: This worked on any app we tested it on, including "empty" projects that did _nothing_. Construct a message as follows POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0 Accept: AAAAAAAAA.... (about 4.1K worth of A's) Content-Length: 16 uselessdata=dork That's it. The app will die and fire up a doctor watson window.
Fromour testing, it appears that as long as you have > 4.1K worth
of headers, the app will die (ie: you don't need to have all the data in one variable). We submitted this vulnerablity to Apple last week. To their credit they responded in a resonable timeframe. According to the testing done on their end, this DoS is only present when you use a development license. WO with deployment licenses are not vulnerable. Our deployment license is "in the mail" so we haven't been able to test this. Seems a bit odd to me being that you keep the same software and just change the license key to "upgrade" from devel to deploy... there's no new software installed. We'll see. The Shmoo Group http://www.shmoo.com http://www.macsecurity.org
Current thread:
- WebObjects DoS Bruce Potter (Apr 04)