Menu
▾
▴
nms-cgi-devel
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 16:09:28
|
If you have enough bandwidth you might want to take a look at : http://www.kidlink.org/KIDPROJ/Bridges/wwwboard/ to see another, er, feature of wwwboard that we should be addressing ;-} /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Olivier D. <dr...@sh...> - 2002-03-02 16:55:47
|
WTH??? The page's like 200... MB!!! I've got cable and after 2min I only had 10MB downloaded... I just gave up! What's wrong with it? Is is an NMS wwwboard or a MSA one? -Olivier On Sat, Mar 02, 2002 at 04:08:42PM +0000, Jonathan Stowe wrote: > If you have enough bandwidth you might want to take a look at : > > http://www.kidlink.org/KIDPROJ/Bridges/wwwboard/ > > to see another, er, feature of wwwboard that we should be addressing ;-} > > /J\ > -- > Jonathan Stowe | > <http://www.gellyfish.com> | This space for rent > | > > > _______________________________________________ > Nms-cgi-devel mailing list > Nms...@li... > https://lists.sourceforge.net/lists/listinfo/nms-cgi-devel -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Olivier D. <dr...@sh...> - 2002-03-02 17:00:55
|
On Sat, Mar 02, 2002 at 05:04:31PM +0000, Sam Smith wrote: > On Sat, 2 Mar 2002, Olivier Dragon wrote: > > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only > > had 10MB downloaded... I just gave up! > > > > What's wrong with it? Is is an NMS wwwboard or a MSA one? > > The page's like 200... MB!!! I've got cable and after 2min I only > had 10MB downloaded... I just gave up! Haha... funny. I mean technically, why is it so big and what's wrong with it... -Olivier -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Sam S. <sou...@ms...> - 2002-03-02 17:10:47
|
On Sat, 2 Mar 2002, Olivier Dragon wrote: > On Sat, Mar 02, 2002 at 05:04:31PM +0000, Sam Smith wrote: > > On Sat, 2 Mar 2002, Olivier Dragon wrote: > > > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only > > > had 10MB downloaded... I just gave up! > > > > > > What's wrong with it? Is is an NMS wwwboard or a MSA one? > > > > The page's like 200... MB!!! I've got cable and after 2min I only > > had 10MB downloaded... I just gave up! > > Haha... funny. I mean technically, why is it so big and what's wrong > with it... Lots of people have posted to the board, so there are lots of messages. A fair number of them seemed to be automatically generated gibberish. The problem is exactly the one you found -- it's a huge download. Sam -- "Thinking of using NT for your critical apps? Isn't there enough suffering in the world?" |
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 20:46:44
|
On Sat, 2 Mar 2002, Olivier Dragon wrote:
> On Sat, Mar 02, 2002 at 05:04:31PM +0000, Sam Smith wrote:
> > On Sat, 2 Mar 2002, Olivier Dragon wrote:
> > > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only
> > > had 10MB downloaded... I just gave up!
> > >
> > > What's wrong with it? Is is an NMS wwwboard or a MSA one?
> >
> > The page's like 200... MB!!! I've got cable and after 2min I only
> > had 10MB downloaded... I just gave up!
>
> Haha... funny. I mean technically, why is it so big and what's wrong
> with it...
>
OK, I've worked out what the exploit does - it operates entirely through
the followup parameter. You construct a request (possibly using something
like LWP) that has a followup parameter that has 1 ... <number in
data.txt> and then a very large number of <number in data.txt + 1>
repeated, all comma separated. Thus the threading mechanism will dumbly
rewrite the wwwboard.html so that it it becomes gigantic and will rewrite
a load of the individual messages as having these spurious followups.
The second part of this is already dealt with in the code by the
foreach my $fn (@followup_num) {
error('followup_data') if $fn !~ /^\d+$/ || $fcheck{$fn};
$fcheck{$fn}++;
}
@followup_num = keys %fcheck;
bit.
The first part however is a little bit more difficult because you would
have to read every message to check whether this was a pukka followup to
that, so what I have done is put in a $max_followups configuration
(guarded by $emulate_matts_code) that limits the number of messages a
followup can be a followup to be - this will still allow an attacker to
create *some* spurious followups but will mitigate the potential effect of
such an attempt. I have updated the README accordingly.
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 17:14:03
|
On Sat, 2 Mar 2002, Olivier Dragon wrote: > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only > had 10MB downloaded... I just gave up! > > What's wrong with it? Is is an NMS wwwboard or a MSA one? It appears to be an MSA (or close relative of it), the main page is full of multiple entries for the same message and very deeply nested - on the followup ones it refers to itself as a followup, thus exploiting the threading mechanism to fill up the disk :) I guess it was a script that replied to eaach of real entries on the mainpage and then specified a 'followup' that did the rest. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
Thanks for helping keep SourceForge clean.
X