Bugtraq mailing list archives
Re: Microsoft BackOffice component: adredir.asp
From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Sat, 3 Jun 2000 16:47:53 +0200
On Sun, 4 Jun 2000, Microsoft Security Response Center wrote:
* There was no denial of service. When we sent a sufficiently long bogus URL to Adredir.asp, the server did drop the connection. This was an appropriate response, since the URL was invalid.
Hm, but other BO scripts usually won't drop connection silently with eg. 1 kb long parameter, returning error message instead? I can't see any URL validation scheme, as well - almost everything is passed thru. So, my question is: why script silently drops connection (without any error message or anything else) with eg. 1 kB of input data - it's rather unique behaviour, and why some values (around 500-510 bytes) causes incomplete script output to be sent? Hmmm... Also, with really long url= parameter (I mean, over 1.5 kB) server quite often won't drop specific connection, but keep it alive, without sending any response for this http request.
* There was no opportunity to run arbitrary code. No matter how long the URL was, it did not overwrite either the stack or the heap. We double-checked our results by doing a source code review, and found that there are no fixed-length buffers at all in Adredir.asp, and the code appears to properly validate all inputs before using them.
It could be also a problem with IIS - does it properly handle long HTTP headers returned by scripts? adredir.asp returns long 'Location: ' header. But there is a problem, IMHO. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Re: Microsoft BackOffice component: adredir.asp Microsoft Security Response Center (Jun 04)
- Re: Microsoft BackOffice component: adredir.asp Michal Zalewski (Jun 03)
- Linux-Mandrake bind update. Chmouel Boudjnah (Jun 04)
- Why You Should Upgrade To NT4 SP4 or NT5 Luke Kenneth Casson Leighton (Jun 04)
- <Possible follow-ups>
- Re: Microsoft BackOffice component: adredir.asp Russ (Jun 04)