IntraWeb DOS Hotfix

By: Olaf Monien

Abstract: On Jan, 23rd 2007 IntraWeb was mentioned on Bugtraq, the security mailing list which informs about possible issues of any type of computer software. The mentioned IntraWeb issue has been isolated and a fix is available.

A possible DOS attack of IntraWeb applications has been reported to Bugtraq (see my blog). This issue has been verified now. The source is an "ugly behavior" of a Delphi routine, which may cause an infinite loop in IntraWeb applications under certain conditions.

I'm not going to demonstrate how to reproduce this attack here. There might be too curious people "testing" your applications ;-)

To protect your application against this DOS attack, please follow these steps:

  1. Open your ServerController.pas unit and add an OnBeforeDispatch event handler.
  2. Add the following bold line to the event handler created in step one
  3. If you already have an OnBeforeDispatch handler then add these lines above your own code

procedure TIWServerController.IWServerControllerBaseBeforeDispatch(Sender:
    TObject; Request: TWebRequest; Response: TWebResponse; var Handled:
    Boolean);
begin
  if pos(#$26#$26, Request.Content) > 0 then
    Request.ContentFields.Text := '';

end;

The next IntraWeb 9.0 build (9.0.12) will have this fixed internally.

We care about about our customers and try to provide solutions for situations like the one. Please contact us first though, if you think you discovered something which should be addressed immediately. Sending reports to "Bugtraq" or any other mailing lists which are not operated by Atozed may cause unnecessary delays. We have provided a solution within hours after we found "ourself" listed on Bugtraq.

Server Response from: ETNASC03