A possible DOS attack of IntraWeb applications has been reported to Bugtraq (see my blog). This issue has been verified now. The source is an "ugly behavior" of a Delphi routine, which may cause an infinite loop in IntraWeb applications under certain conditions.
I'm not going to demonstrate how to reproduce this attack here. There might be too curious people "testing" your applications ;-)
To protect your application against this DOS attack, please follow these steps:
- Open your ServerController.pas unit and add an OnBeforeDispatch event handler.
- Add the following bold line to the event handler created in step one
- If you already have an OnBeforeDispatch handler then add these lines above your own code
TObject; Request: TWebRequest; Response: TWebResponse; var Handled:
if pos(#$26#$26, Request.Content) > 0 then
Request.ContentFields.Text := '';
The next IntraWeb 9.0 build (9.0.12) will have this fixed internally.
We care about about our customers and try to provide solutions for situations like the one. Please contact us first though, if you think you discovered something which should be addressed immediately. Sending reports to "Bugtraq" or any other mailing lists which are not operated by Atozed may cause unnecessary delays. We have provided a solution within hours after we found "ourself" listed on Bugtraq.