[cups.development] [RFE] STR #2787: Content-Length if not given defaults to a large number of bytes making the server to wait for any data
rahulmode
move2rahul at yahoo.co.in
Tue Apr 8 11:20:44 PDT 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
Tested on both
CUPS-1.1.23 and
CUPS-1.3.7
Content-Length, if not given defaults to 2147483647 Bytes making the
server wait for that many number of bytes.
The exploit scenario:
If the user connects the server using "nc" on which he is allowed to use
post method request and sends a request without stating the Content-Length
value then the server waits for 2147483647 Bytes or time-out whichever is
earlier.
Now if an attacker connects with max-clients-allowed to the server and
sends this request from each client
then the SERVER may possibly go into DOS !!
Ex Exploit:
# nc cups_server 631
POST /printers/ HTTP/1.1
Content-Length:
\n\n
< other data >
-----------------------------------------------------------------
-- BY Rahul Mode ( rahulmode at gmail.com )
Link: http://www.cups.org/str.php?L2787
Version: -feature
More information about the cups
mailing list