Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

NeatUpload vulnerability and fix

From: dean () brettle com
Date: 20 Apr 2007 06:40:38 -0000
Product: NeatUpload

Synopsis: A race condition in several versions of the NeatUpload ASP.NET component could sometimes cause portions of 
responses to be sent to the wrong user, potentially revealing sensitive information to unauthorized users.

Vulnerable versions: 1.2.11-1.2.16, 1.1.18-1.1.23, and trunk.379-trunk.445.

Fixed in: 1.2.17, 1.1.24, and trunk.448

Credit: Thanks to Jamie Howell with starnow.com, and Michael Teper with Elanex, Inc. (www.elanex.com), for reporting 
the problem and testing the fix.

Detailed description:

The problem was caused by part of a fix introduced in 1.2.11 (and 1.1.18) which caused 
HttpWorkerRequest.FlushResponse(bool finalFlush) to be called twice for the same HttpWorkerRequest with 
finalFlush=true. That probably caused ASP.NET's response buffer to be reused for another request before the response 
was sent.  The problem is more likely to occur when the server is handling multiple requests simultaneously.

The easiest way to exploit this vulnerability would be to make many simultaneous requests to the server, hoping to 
trigger the problem and receive a portion of another users response that contains sensitive information.

Recommended fix:

Users should upgrade to latest patch version for the release they are using.  

Alternatively, the following patch can be applied:

Index: DecoratedWorkerRequest.cs
===================================================================
--- DecoratedWorkerRequest.cs   (revision 442)
+++ DecoratedWorkerRequest.cs   (revision 443)
@@ -125,8 +125,9 @@
                {
                        if (Exception == null)
                        {
-                               if (log.IsDebugEnabled) log.Debug("Calling FlushResponse(" + finalFlush + ")");
-                               OrigWorker.FlushResponse(finalFlush);
+                               if (log.IsDebugEnabled) log.Debug("FlushResponse(" + finalFlush + ") called -> Calling 
FlushResponse(false)");
+                               // Always pass false so that ASP.NET doesn't recycle response buffers while they are 
still in use.
+                               OrigWorker.FlushResponse(false);
                        }
                }
Previous By Date Next
Previous By Thread Next

Current thread: