Re: AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability

["C0r3 1mp4ct" <c0r31mp4ct () gmail com>]

Please look at Olaf's blog at AToZed to decide if the bug was fake or real!

http://blogs.atozed.com/Olaf/

C0r31mp4ct

On 1/23/07, C0r3 1mp4ct <c0r31mp4ct () gmail com> wrote:
> Type: Deniel of Service
> Severity: Critical
> Title: AToZed Software IntraWeb Component for Borland Delphi and Kylix
> DoS vulnerability
> Date: January 23, 2007
>
> Synopsys
> --------
>
> A DoS vulnerability exists in the IntraWeb Component of AToZed Software.
>
> Background
> ---------
>
> IntraWeb is a RAD component for Borland Delphi and Kylix by AToZed Software,
> which allows developers to rapidly develop webapplication.
> This component is commonly used by Borland developers internationally.
>
> Description
> -----------
>
> DoS conditions occurs, when a specially crafted HTTP request is sent
> to the webapplication.
> After the request, the affected thread enters into an infinte loop, and hangs.
> Under IIS 5.x, the thread will never be stopped.
> Under IIS 6 the webserver automatically stops the thread after the
> configured amount of time, or CPU usage.
>
> Impact
> ------
>
> An attack can cause the webapplication to slow down, and after more
> specially crafted request, to stop processing requests.
>
> WorkAround
> ----------
>
> There is no vendor supplied workaround for the problem at this time.
>
> A possible workaround can be, to filter the request body for the
> special request, and repair it.
> It can be achieved, by overriding the function called
> "OnBeforeDispatch" of the TIWServerController object, and repair the
> request, by changing the "Request.Content" field.
>
> Affected versions
> -----------------
>
> IntraWeb 8.0 and lower versions
>
> Vulnerability timeline
> ----------------------
>
> 2006.08.   - Vendor notified, but no answer
> 2007.01.23 - Vulnerability publicly available
>
> Discovery is credited to: C0r31mp4ct