NeatUpload vulnerability and fix
Product: NeatUpload
Synopsis: A race condition in several versions of the NeatUpload ASP.NET
component could sometimes cause portions of responses to be sent to the wrong
user, potentially revealing sensitive information to unauthorized users.
Vulnerable versions: 1.2.11-1.2.16, 1.1.18-1.1.23, and trunk.379-trunk.445.
Fixed in: 1.2.17, 1.1.24, and trunk.448
Credit: Thanks to Jamie Howell with starnow.com, and Michael Teper with Elanex,
Inc. (www.elanex.com), for reporting the problem and testing the fix.
Detailed description:
The problem was caused by part of a fix introduced in 1.2.11 (and 1.1.18) which
caused HttpWorkerRequest.FlushResponse(bool finalFlush) to be called twice for
the same HttpWorkerRequest with finalFlush=true. That probably caused ASP.NET's
response buffer to be reused for another request before the response was sent.
The problem is more likely to occur when the server is handling multiple
requests simultaneously.
The easiest way to exploit this vulnerability would be to make many
simultaneous requests to the server, hoping to trigger the problem and receive
a portion of another users response that contains sensitive information.
Recommended fix:
Users should upgrade to latest patch version for the release they are using.
Alternatively, the following patch can be applied:
Index: DecoratedWorkerRequest.cs
===================================================================
--- DecoratedWorkerRequest.cs (revision 442)
+++ DecoratedWorkerRequest.cs (revision 443)
@@ -125,8 +125,9 @@
{
if (Exception == null)
{
- if (log.IsDebugEnabled) log.Debug("Calling
FlushResponse(" + finalFlush + ")");
- OrigWorker.FlushResponse(finalFlush);
+ if (log.IsDebugEnabled)
log.Debug("FlushResponse(" + finalFlush + ") called -> Calling
FlushResponse(false)");
+ // Always pass false so that ASP.NET doesn't
recycle response buffers while they are still in use.
+ OrigWorker.FlushResponse(false);
}
}