[Glass] security / dos attacks

Mon Dec 23 08:06:17 PST 2013

Otto,

----- Original Message -----
| From: "Otto Behrens" <otto at finworks.biz>
| To: glass at lists.gemtalksystems.com
| Cc: support at finworks.biz
| Sent: Monday, December 23, 2013 5:36:50 AM
| Subject: [Glass] security / dos attacks
| 
| Hi,
| 
| We've been getting some hacking / dos attempts on our sites.
| 
| In some cases, we do get a successful crash of the FCGI server. I'm
| still trying to find those.

Yes, let's hunt the server crashes down ...

| 
| In my hunt for this, I found that some requests create an Internal
| Server Error response. For example, a GET on /%C0%AE generates the
| following message: 'InterpreterError 2258: Primitive failed ,
| selector
| <#'_unicodePrim:'> receiver <'À®'>'

"Internal Server Errors" are thrown from parts of the system where it is believed that we cannot return a valid HTTP response ... In the particular cases where the error is coming from interpretation of the data of the request, I think it does make sense to return an appropriate HTTP erro response ... 
| 
| I'm worried that this somehow opens a gap to hack into the system, so
| I think it is better to respond with a 404 or something like that.
| Does this make sense? I was thinking that I should be chasing down
| 500
| responses so that we can catch where they manage to break the server.
|

I don't think that errors that lead to walkbacks pose a security threat to the system ... Smalltalk walkbacks don't open holes ... vm level crashes on the other hand could ... depending upon the failure mechanism.

I would think that WAFastCGIAdaptor>>internalServerMalfunction: could be modified to so that you could chose to respond with a 500 or 400 error depending upon the type of problem you are hitting ..

| 
| Thanks
| Otto
| _______________________________________________
| Glass mailing list
| Glass at lists.gemtalksystems.com
| http://lists.gemtalksystems.com/mailman/listinfo/glass
| 