Opened 5 years ago

Closed 5 years ago

#2199 closed defect (fixed)

Empty POST-Requests crashes IIS application pool

Reported by: gBecker Owned by:
Priority: medium Milestone: 2.5
Component: Map Agent Version: 2.4.0
Severity: major Keywords:
Cc: External ID:

Description

When sending empty POST-requests to the mapagent (http://localhost/mapguide/mapagent/mapagent.fcgi) the IIS application pool stops working after reaching the maximum number of errors in a specified time period (configured in advanced settings dialog of the application pool). Default is 5 errors in five minutes. POST-requests with any other data results at least in an error message or in a valid response. This leaves the application pool staying alive.

In my opinion its a potential security risk becausa anyone can crash an application pool by just doing a POST-request to the MapAgent?.

In windows eventlogs the error is logged as of type WAS (Windows Activation Service)

To reproduce the error simply do a post with no data to the mapagent. I used cURL to do this:

curl -v "http://localhost/mapguide/mapagent/mapagent.fcgi" --request POST --data "" --user Administrator:admin

As a solution it would be nice if the MapAgent? could send a proper message or errror back to the client, so that the application pool doesn't stop working.

For further information on this see this thread

Attachments (5)

Application.evtx (68.0 KB) - added by gBecker 5 years ago.
Windows ApplicationLog?
System.evtx (68.0 KB) - added by gBecker 5 years ago.
Windows SystemLog?
curl.log (1.7 KB) - added by gBecker 5 years ago.
cURL log
isapi_MapAgent32.zip (26.4 KB) - added by jng 5 years ago.
Patched isapi mapagent dll (32-bit, MGOS 2.4)
isapi_MapAgent64.zip (28.8 KB) - added by jng 5 years ago.
Patched isapi mapagent dll (64-bit, MGOS 2.4)

Download all attachments as: .zip

Change History (8)

Changed 5 years ago by gBecker

Attachment: Application.evtx added

Windows ApplicationLog?

Changed 5 years ago by gBecker

Attachment: System.evtx added

Windows SystemLog?

Changed 5 years ago by gBecker

Attachment: curl.log added

cURL log

comment:1 Changed 5 years ago by zspitzer

see #818

Changed 5 years ago by jng

Attachment: isapi_MapAgent32.zip added

Patched isapi mapagent dll (32-bit, MGOS 2.4)

Changed 5 years ago by jng

Attachment: isapi_MapAgent64.zip added

Patched isapi mapagent dll (64-bit, MGOS 2.4)

comment:2 Changed 5 years ago by jng

Try these attached dlls against your MGOS 2.4 installation. If the problem no longer exists, this ticket can be closed.

comment:3 Changed 5 years ago by gBecker

Resolution: fixed
Status: newclosed

Thank, it works!

Note: See TracTickets for help on using tickets.