Vulnerability

    WebObjects

Affected

    WO with development licence

Description

    Bruce Potter found following.   He found a DoS in  WebObjects apps
    (with a possible remote exploit).  So far we've found this problem
    in WebObjects 4.5 Developer  running with the CGI-adapter  and IIS
    4.0 on  NT 4.0  SP5.   WO 4.5  Beta on  Solaris 2.6  with Netscape
    Enterprise isn't vulnerable.

    If you send a large  (4.1K) header variable to the  webobjects app
    it will  core (fires  up doctor  watson).   This may  result in  a
    remotely executable  exploit as  the user  running IIS,  but Bruce
    hasn't taken the time to check.

    This  worked  on  any  app  we  tested  it  on,  including "empty"
    projects that did _nothing_.  Construct a message as follows

        POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0
        Accept: AAAAAAAAA....  (about 4.1K worth of A's)
        Content-Length: 16

        uselessdata=dork

    That's it.  The app will  die and fire up a doctor  watson window.
    From testings, it appears  that as long as  you have > 4.1K  worth
    of headers, the app will die  (ie: you don't need to have  all the
    data in one variable).

Solution

    Bruce submitted this  vulnerablity to Apple  last week.   To their
    credit they responded in a resonable timeframe.  According to  the
    testing done on their end, this  DoS is only present when you  use
    a  development  license.   WO  with  deployment  licenses  are not
    vulnerable.  Our deployment license is "in the mail" so we haven't
    been able to test this.  Seems a bit odd to me being that you keep
    the same  software and  just change  the license  key to "upgrade"
    from devel to deploy... there's no new software installed.   We'll
    see.