[Glass] security / dos attacks

Dale K. Henrichs dale.henrichs at gemtalksystems.com
Mon Dec 23 08:06:17 PST 2013


Otto,


----- Original Message -----
| From: "Otto Behrens" <otto at finworks.biz>
| To: glass at lists.gemtalksystems.com
| Cc: support at finworks.biz
| Sent: Monday, December 23, 2013 5:36:50 AM
| Subject: [Glass] security / dos attacks
| 
| Hi,
| 
| We've been getting some hacking / dos attempts on our sites.
| 
| In some cases, we do get a successful crash of the FCGI server. I'm
| still trying to find those.

Yes, let's hunt the server crashes down ...

| 
| In my hunt for this, I found that some requests create an Internal
| Server Error response. For example, a GET on /%C0%AE generates the
| following message: 'InterpreterError 2258: Primitive failed ,
| selector
| <#'_unicodePrim:'> receiver <'À®'>'

"Internal Server Errors" are thrown from parts of the system where it is believed that we cannot return a valid HTTP response ... In the particular cases where the error is coming from interpretation of the data of the request, I think it does make sense to return an appropriate HTTP erro response ... 
| 
| I'm worried that this somehow opens a gap to hack into the system, so
| I think it is better to respond with a 404 or something like that.
| Does this make sense? I was thinking that I should be chasing down
| 500
| responses so that we can catch where they manage to break the server.
|
 
I don't think that errors that lead to walkbacks pose a security threat to the system ... Smalltalk walkbacks don't open holes ... vm level crashes on the other hand could ... depending upon the failure mechanism.

| Have you encountered this? Any ideas on solving it?
| 
| Here's what I found so far:
| 1. The method WAFastCGIAdaptor | requestUrlFor: creates a WAUrl and
| then calls #decodeWith: on it, which breaks.
| 2. In the code that creates the WAUrl, it calls #decode: on the path
| segments, which decodes %C0 as a UTF8 character. (WAUrl | decode:).
| 3. doing this breaks:
| 
| (String with: (Character codePoint: 192) with: (Character codePoint:
| 174)) decodeFromUTF8


I would think that WAFastCGIAdaptor>>internalServerMalfunction: could be modified to so that you could chose to respond with a 500 or 400 error depending upon the type of problem you are hitting ..

| 
| Thanks
| Otto
| _______________________________________________
| Glass mailing list
| Glass at lists.gemtalksystems.com
| http://lists.gemtalksystems.com/mailman/listinfo/glass
| 


More information about the Glass mailing list