Closed NickTullos closed 10 years ago
Can you give more details on the request you have problems with?
I think I found the error location and reason. I'm very new to the fast cgi so I dont know the specs. But it looks like you're getting the buffer length from one byte, but I think it should be pulling from two bytes. I think thats why it takes a longer URL request to break it. once buffer length is broken the results set in the KVP are very interesting.
here is my test url to preproduce the bug
public static int GetLength(BinaryReader reader) { byte length = reader.ReadByte(); if ((length & 0x80) == 0) return length; return length & 0x7F << 24 + reader.ReadByte() << 16 + reader.ReadByte() << 8 + reader.ReadByte(); }
On Fri, May 23, 2014 at 1:03 PM, Luigi Grilli notifications@github.comwrote:
Can you give more details on the request you have problems with?
— Reply to this email directly or view it on GitHubhttps://github.com/gigi81/sharpfastcgi/issues/6#issuecomment-44042016 .
thanks, initial testing looks good.
On Fri, May 23, 2014 at 4:49 PM, Luigi Grilli notifications@github.com wrote:
Closed #6 https://github.com/gigi81/sharpfastcgi/issues/6.
— Reply to this email directly or view it on GitHub https://github.com/gigi81/sharpfastcgi/issues/6#event-124420651.
i'm looking into the bug right now. It looks like a buffer overrun error and it give an attacker an exploit to abuse the system.