You've just made a lot of people very happy - Thank you ED! Now I know what I'll be doing tonight...
Scott Cadillac, Witango.org - http://witango.org 403-281-6090 - [EMAIL PROTECTED] -- Information for the Witango Developer Community --------------------- XML-Extranet - http://xml-extra.net 403-281-6090 - [EMAIL PROTECTED] -- Well-formed Development (for hire) --------------------- > -----Original Message----- > From: ed [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 4:57 PM > To: [EMAIL PROTECTED] > Subject: Witango-Talk: Workaround for cookie buffer overflow > vulnerability using URL rewriting > > > The following suggestion may be of interest to people running > Tango / Witango > applications that they can't upgrade to the latest version of > Witango 5 at > short notice. > > It should be possible to work around the cookie buffer > overflow vulnerability > by stopping requests with oversized cookies at the web > server, before they > reach Tango. > > I've done some limited testing with this and it works fine as > far as I can > tell, but obviously the suggestion comes with ABSOLUTELY NO > WARANTEE, blah, > blah blah. > > If you find any problems with what I've proposed (either it > lets things > through that it shouldn't or it doesn't let things through > that it should), > please let me know, off-list in the first instance. > > Full details are here: > http://www.edochan.com/tango/cookie_workaround.htm > > Ed Edgar > > -------------------------------------------------------------- > ------------------------------------------- > The Workaround > > IIS allows you to install third-party plugins (called ISAPI > Filters) which > can change requests before it processes them. > > We can use an ISAPI Filter to rewrite the URLs of suspicious > requests so that > IIS sends them somewhere other than Tango. > > The simplest way is to send them to a made-up HTML page, like > "/tango_buffer_overflow_exploit.html". > > If you want immediate warnings of attacks, you might want to > make a special > CGI script and redirect them to that instead. > > > What to do > > Head over to Querksoft and pick up a copy of IISRewrite for > $99. If you want > to test it first you can download their evaluation version. > > Install IISRewrite by following the instructions on their website. > > Put the following in your rewrite.ini file: [Warning: This > may line-wrap.] > > RewriteEngine On > ############################################################## > ############# > # > # Rule to block Tango cookie buffer overflow exploit > # Apply this rule to any request containing a cookie 128 bytes long, > including the name. > # Rewrite anything containing a Tango extension then the end > of the string, > or a question mark. > # NB If your server lets Tango respond to other URLs, you > should include > those as well. > RewriteCond %{HTTP_COOKIE} .*[^;]{128}.* > RewriteRule (.*)\.(taf$|taf\?|tml$|tml\?|thtml$|thtml\?)(.*) > /tango_buffer_overflow_exploit.html [L] > # If you're really paranoid, use > # RewriteRule .* /tango_buffer_overflow_exploit.html > # ...to block oversized cookies for all requests. > # > ############################################################## > ############# > Restart IIS. > > It should no longer be possible to send excessively large > cookies to your > Tango server. > > Requests without excessively large cookies, or requests for > pages other than > .taf, .tml and .thtml, should be unaffected. > > If it fails on either of those counts, please let me know. > > > Other options and platforms > > ISAPI URL rewriting is also offered by ISAPIRewrite. > > If you're using Apache, you can do the same thing (and much > more) with the > original ModRewrite. > > -------------------------------------------------------------- > ------------------------------------------ > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
