[Glass] security / dos attacks
Otto Behrens
otto at finworks.biz
Mon Dec 23 07:46:34 PST 2013
Turns out that this was a vulnerability scan from
https://www.qualys.com/, requested by a customer.
Useful anyway to see where we don't respond appropriately.
On Mon, Dec 23, 2013 at 3:36 PM, Otto Behrens <otto at finworks.biz> wrote:
> Hi,
>
> We've been getting some hacking / dos attempts on our sites.
>
> In some cases, we do get a successful crash of the FCGI server. I'm
> still trying to find those.
>
> In my hunt for this, I found that some requests create an Internal
> Server Error response. For example, a GET on /%C0%AE generates the
> following message: 'InterpreterError 2258: Primitive failed , selector
> <#'_unicodePrim:'> receiver <'À®'>'
>
> I'm worried that this somehow opens a gap to hack into the system, so
> I think it is better to respond with a 404 or something like that.
> Does this make sense? I was thinking that I should be chasing down 500
> responses so that we can catch where they manage to break the server.
>
> Have you encountered this? Any ideas on solving it?
>
> Here's what I found so far:
> 1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and
> then calls #decodeWith: on it, which breaks.
> 2. In the code that creates the WAUrl, it calls #decode: on the path
> segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:).
> 3. doing this breaks:
>
> (String with: (Character codePoint: 192) with: (Character codePoint:
> 174)) decodeFromUTF8
>
> Thanks
> Otto
More information about the Glass
mailing list