The following suggestion may be of interest to people running Tango / Witango applications that they can't upgrade to the latest version of Witango 5 at short notice.
It should be possible to work around the cookie buffer overflow vulnerability by stopping requests with oversized cookies at the web server, before they reach Tango. I've done some limited testing with this and it works fine as far as I can tell, but obviously the suggestion comes with ABSOLUTELY NO WARANTEE, blah, blah blah. If you find any problems with what I've proposed (either it lets things through that it shouldn't or it doesn't let things through that it should), please let me know, off-list in the first instance. Full details are here: http://www.edochan.com/tango/cookie_workaround.htm Ed Edgar --------------------------------------------------------------------------------------------------------- The Workaround IIS allows you to install third-party plugins (called ISAPI Filters) which can change requests before it processes them. We can use an ISAPI Filter to rewrite the URLs of suspicious requests so that IIS sends them somewhere other than Tango. The simplest way is to send them to a made-up HTML page, like "/tango_buffer_overflow_exploit.html". If you want immediate warnings of attacks, you might want to make a special CGI script and redirect them to that instead. What to do Head over to Querksoft and pick up a copy of IISRewrite for $99. If you want to test it first you can download their evaluation version. Install IISRewrite by following the instructions on their website. Put the following in your rewrite.ini file: [Warning: This may line-wrap.] RewriteEngine On ########################################################################### # # Rule to block Tango cookie buffer overflow exploit # Apply this rule to any request containing a cookie 128 bytes long, including the name. # Rewrite anything containing a Tango extension then the end of the string, or a question mark. # NB If your server lets Tango respond to other URLs, you should include those as well. RewriteCond %{HTTP_COOKIE} .*[^;]{128}.* RewriteRule (.*)\.(taf$|taf\?|tml$|tml\?|thtml$|thtml\?)(.*) /tango_buffer_overflow_exploit.html [L] # If you're really paranoid, use # RewriteRule .* /tango_buffer_overflow_exploit.html # ...to block oversized cookies for all requests. # ########################################################################### Restart IIS. It should no longer be possible to send excessively large cookies to your Tango server. Requests without excessively large cookies, or requests for pages other than .taf, .tml and .thtml, should be unaffected. If it fails on either of those counts, please let me know. Other options and platforms ISAPI URL rewriting is also offered by ISAPIRewrite. If you're using Apache, you can do the same thing (and much more) with the original ModRewrite. -------------------------------------------------------------------------------------------------------- ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
