Opened 11 years ago
Closed 11 years ago
#2199 closed defect (fixed)
Empty POST-Requests crashes IIS application pool
| Reported by: | gBecker | Owned by: | |
|---|---|---|---|
| Priority: | medium | Milestone: | 2.5 |
| Component: | Map Agent | Version: | 2.4.0 |
| Severity: | major | Keywords: | |
| Cc: | External ID: |
Description
When sending empty POST-requests to the mapagent (http://localhost/mapguide/mapagent/mapagent.fcgi) the IIS application pool stops working after reaching the maximum number of errors in a specified time period (configured in advanced settings dialog of the application pool). Default is 5 errors in five minutes. POST-requests with any other data results at least in an error message or in a valid response. This leaves the application pool staying alive.
In my opinion its a potential security risk becausa anyone can crash an application pool by just doing a POST-request to the MapAgent.
In windows eventlogs the error is logged as of type WAS (Windows Activation Service)
To reproduce the error simply do a post with no data to the mapagent. I used cURL to do this:
curl -v "http://localhost/mapguide/mapagent/mapagent.fcgi" --request POST --data "" --user Administrator:admin
As a solution it would be nice if the MapAgent could send a proper message or errror back to the client, so that the application pool doesn't stop working.
For further information on this see this thread
Attachments (5)
Change History (8)
by , 11 years ago
| Attachment: | Application.evtx added |
|---|
by , 11 years ago
| Attachment: | isapi_MapAgent32.zip added |
|---|
Patched isapi mapagent dll (32-bit, MGOS 2.4)
by , 11 years ago
| Attachment: | isapi_MapAgent64.zip added |
|---|
Patched isapi mapagent dll (64-bit, MGOS 2.4)
comment:2 by , 11 years ago
Try these attached dlls against your MGOS 2.4 installation. If the problem no longer exists, this ticket can be closed.
Windows ApplicationLog