Back to list
NeatUpload vulnerability and fix
Apr 20 2007 06:40AM
dean brettle com
Synopsis: A race condition in several versions of the NeatUpload ASP.NET component could sometimes cause portions of responses to be sent to the wrong user, potentially revealing sensitive information to unauthorized users.
Vulnerable versions: 1.2.11-1.2.16, 1.1.18-1.1.23, and trunk.379-trunk.445.
Fixed in: 1.2.17, 1.1.24, and trunk.448
Credit: Thanks to Jamie Howell with starnow.com, and Michael Teper with Elanex, Inc. (www.elanex.com), for reporting the problem and testing the fix.
The problem was caused by part of a fix introduced in 1.2.11 (and 1.1.18) which caused HttpWorkerRequest.FlushResponse(bool finalFlush) to be called twice for the same HttpWorkerRequest with finalFlush=true. That probably caused ASP.NET's response buffer to be reused for another request before the response was sent. The problem is more likely to occur when the server is handling multiple requests simultaneously.
The easiest way to exploit this vulnerability would be to make many simultaneous requests to the server, hoping to trigger the problem and receive a portion of another users response that contains sensitive information.
Users should upgrade to latest patch version for the release they are using.
Alternatively, the following patch can be applied:
--- DecoratedWorkerRequest.cs (revision 442)
+++ DecoratedWorkerRequest.cs (revision 443)
@@ -125,8 +125,9 @@
if (Exception == null)
- if (log.IsDebugEnabled) log.Debug("Calling FlushResponse(" + finalFlush + ")");
+ if (log.IsDebugEnabled) log.Debug("FlushResponse(" + finalFlush + ") called -> Calling FlushResponse(false)");
+ // Always pass false so that ASP.NET doesn't recycle response buffers while they are still in use.
[ reply ]
Copyright 2010, SecurityFocus