NeatUpload vulnerability and fix

Type securityvulns
Reporter Securityvulns
Modified 2007-04-20T00:00:00


Product: NeatUpload

Synopsis: A race condition in several versions of the NeatUpload ASP.NET component could sometimes cause portions of responses to be sent to the wrong user, potentially revealing sensitive information to unauthorized users.

Vulnerable versions: 1.2.11-1.2.16, 1.1.18-1.1.23, and trunk.379-trunk.445.

Fixed in: 1.2.17, 1.1.24, and trunk.448

Credit: Thanks to Jamie Howell with, and Michael Teper with Elanex, Inc. (, for reporting the problem and testing the fix.

Detailed description:

The problem was caused by part of a fix introduced in 1.2.11 (and 1.1.18) which caused HttpWorkerRequest.FlushResponse(bool finalFlush) to be called twice for the same HttpWorkerRequest with finalFlush=true. That probably caused ASP.NET's response buffer to be reused for another request before the response was sent. The problem is more likely to occur when the server is handling multiple requests simultaneously.

The easiest way to exploit this vulnerability would be to make many simultaneous requests to the server, hoping to trigger the problem and receive a portion of another users response that contains sensitive information.

Recommended fix:

Users should upgrade to latest patch version for the release they are using.

Alternatively, the following patch can be applied:

Index: DecoratedWorkerRequest.cs

--- DecoratedWorkerRequest.cs (revision 442) +++ DecoratedWorkerRequest.cs (revision 443) @@ -125,8 +125,9 @@ { if (Exception == null) { - if (log.IsDebugEnabled) log.Debug("Calling FlushResponse(" + finalFlush + ")"); - OrigWorker.FlushResponse(finalFlush); + if (log.IsDebugEnabled) log.Debug("FlushResponse(" + finalFlush + ") called -> Calling FlushResponse(false)"); + // Always pass false so that ASP.NET doesn't recycle response buffers while they are still in use. + OrigWorker.FlushResponse(false); } }