You're reading it right.
Your testing seemed to suggest that 512 was OK for normal cookies, but the user reference cookies needed to be shorter.
Mails I got from Phil seemed to indicate that the issue was the same regardless of the cookie (UserReference or not). But he was a bit vague, and I'm still waiting for confirmation.
If it does turn out that UserReference cookies need to be shorter, you could target them specifically with something like:
RewriteCond %{HTTP_COOKIE} .*Tango_UserReference[^;]{50}.*
RewriteRule ^.*$ /tango_buffer_overflow_exploit.html [L]
Or if it turns out that all cookies can be treated the same, and that the 512 characters is the danger point, then, like you suggest, you could do this:
RewriteCond %{HTTP_COOKIE} .*[^;]{512}.*
What we really need here is the actual numbers from the man with the source code.
Phil?
Ed
At 16:43 03/08/04 -0700, you wrote:
if I am reading this line correctly "RewriteCond %{HTTP_COOKIE} .*[^;]{128}.*" this will limit the cookie length to 128 chars
I would set it to 512
This will allow for larger cookies. I have had no problem with cookies 512 char or less.
Ben Johansen - http://www.pcforge.com -Authorized WiTango Reseller http://www.pcforge.com/WitangoGoodies.htm -Authorized Alt-N Reseller http://www.pcforge.com/AltN.htm
-----Original Message----- From: ed [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 3:57 PM To: [EMAIL PROTECTED] Subject: Witango-Talk: Workaround for cookie buffer overflow vulnerability using URL rewriting
The following suggestion may be of interest to people running Tango / Witango applications that they can't upgrade to the latest version of Witango 5 at short notice.
It should be possible to work around the cookie buffer overflow vulnerability by stopping requests with oversized cookies at the web server, before they reach Tango.
I've done some limited testing with this and it works fine as far as I can tell, but obviously the suggestion comes with ABSOLUTELY NO WARANTEE, blah, blah blah.
If you find any problems with what I've proposed (either it lets things through that it shouldn't or it doesn't let things through that it should), please let me know, off-list in the first instance.
Full details are here: http://www.edochan.com/tango/cookie_workaround.htm
Ed Edgar
---------------------------------------------------------------------------- ----------------------------- The Workaround
IIS allows you to install third-party plugins (called ISAPI Filters) which can change requests before it processes them.
We can use an ISAPI Filter to rewrite the URLs of suspicious requests so that IIS sends them somewhere other than Tango.
The simplest way is to send them to a made-up HTML page, like "/tango_buffer_overflow_exploit.html".
If you want immediate warnings of attacks, you might want to make a special CGI script and redirect them to that instead.
What to do
Head over to Querksoft and pick up a copy of IISRewrite for $99. If you want to test it first you can download their evaluation version.
Install IISRewrite by following the instructions on their website.
Put the following in your rewrite.ini file: [Warning: This may line-wrap.]
RewriteEngine On ########################################################################### # # Rule to block Tango cookie buffer overflow exploit # Apply this rule to any request containing a cookie 128 bytes long, including the name. # Rewrite anything containing a Tango extension then the end of the string, or a question mark. # NB If your server lets Tango respond to other URLs, you should include those as well. RewriteCond %{HTTP_COOKIE} .*[^;]{128}.* RewriteRule (.*)\.(taf$|taf\?|tml$|tml\?|thtml$|thtml\?)(.*) /tango_buffer_overflow_exploit.html [L] # If you're really paranoid, use # RewriteRule .* /tango_buffer_overflow_exploit.html # ...to block oversized cookies for all requests. # ########################################################################### Restart IIS.
It should no longer be possible to send excessively large cookies to your Tango server.
Requests without excessively large cookies, or requests for pages other than .taf, .tml and .thtml, should be unaffected.
If it fails on either of those counts, please let me know.
Other options and platforms
ISAPI URL rewriting is also offered by ISAPIRewrite.
If you're using Apache, you can do the same thing (and much more) with the original ModRewrite.
---------------------------------------------------------------------------- ---------------------------- ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
