AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability

2007-01-24T00:00:00
ID SECURITYVULNS:DOC:15810
Type securityvulns
Reporter Securityvulns
Modified 2007-01-24T00:00:00

Description

Type: Deniel of Service Severity: Critical Title: AToZed Software IntraWeb Component for Borland Delphi and Kylix DoS vulnerability Date: January 23, 2007

Synopsys

A DoS vulnerability exists in the IntraWeb Component of AToZed Software.

Background

IntraWeb is a RAD component for Borland Delphi and Kylix by AToZed Software, which allows developers to rapidly develop webapplication. This component is commonly used by Borland developers internationally.

Description

DoS conditions occurs, when a specially crafted HTTP request is sent to the webapplication. After the request, the affected thread enters into an infinte loop, and hangs. Under IIS 5.x, the thread will never be stopped. Under IIS 6 the webserver automatically stops the thread after the configured amount of time, or CPU usage.

Impact

An attack can cause the webapplication to slow down, and after more specially crafted request, to stop processing requests.

WorkAround

There is no vendor supplied workaround for the problem at this time.

A possible workaround can be, to filter the request body for the special request, and repair it. It can be achieved, by overriding the function called "OnBeforeDispatch" of the TIWServerController object, and repair the request, by changing the "Request.Content" field.

Affected versions

IntraWeb 8.0 and lower versions

Vulnerability timeline

2006.08. - Vendor notified, but no answer 2007.01.23 - Vulnerability publicly available

Discovery is credited to: C0r31mp4ct