[20269] in bugtraq
Re: [SX-20010320-2] - Microsoft ISA Server Denial of Service
daemon@ATHENA.MIT.EDU (Richard M. Smith)
Tue Apr 17 15:01:10 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <ONEILKPECNHHJLENAGFMEELFEJAA.rms@privacyfoundation.org>
Date: Tue, 17 Apr 2001 07:32:57 -0400
Reply-To: "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG>
From: "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010416233023.N8227@securityfocus.com>
Hello,
>>> Microsoft ISA server includes a web proxy component
>>> (W3PROXY.EXE) that is used for both the "publishing"
>>> of internal web servers to the external network
>>> and for proxying of internal requests to external web servers.
>>> Sending a URL with a long pathname component to this proxy
>>> will cause it to terminate with an access violation error.
>>> For example, sending the (valid) HTTP request:
>>> GET http://hostname/aaa[3000 more occurences of 'a'] HTTP/1.0\n\n
>>> to port 80 on the ISA Server's external interface will cause
>>> W3PROXY.EXE to terminate with an access violation.
I don't have access to an ISA server for testing, but this DoS attack
might also be exploitable from an HTML email message by
an outsider using the following <IMG> tag embedded in
a message:
<img src=http://hostname/aaa[3000 more occurences of 'a']>
Another method of generating the DoS attack would be to
use JavaScript to create the long URL and then setting
the "src" property of an Image object. This code could
also be embedded in an HTML email message.
Richard
