WebObjects DoS

2000-04-07T00:00:00
ID SECURITYVULNS:DOC:25
Type securityvulns
Reporter Securityvulns
Modified 2000-04-07T00:00:00

Description

Howdy, We've found a DoS in WebObjects apps (with a possible remote exploit). So far we've found this problem in WebObjects 4.5 Developer running with the CGI-adapter and IIS 4.0 on NT 4.0 SP5. WO 4.5 Beta on Solaris 2.6 with Netscape Enterprise isn't vulnerable.

Overview: If you send a large (4.1K) header variable to the webobjects app it will core (fires up doctor watson). This may result in a remotely executable exploit as the user running IIS, but I haven't taken the time to check

Implementation: This worked on any app we tested it on, including "empty" projects that did nothing. Construct a message as follows

POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0 Accept: AAAAAAAAA.... (about 4.1K worth of A's) Content-Length: 16

uselessdata=dork

That's it. The app will die and fire up a doctor watson window.