ELOG

Forum Config Examples Contributions Vulnerabilities

Discussion forum about ELOG

Not logged in

Back | Find | Login | Help

possible DOS vulnerability with negative Content-Length field, posted by Christian Herzog on Tue Dec 5 15:30:43 2017

Re: possible DOS vulnerability with negative Content-Length field, posted by Stefan Ritt on Wed Dec 6 13:34:56 2017

Message ID: 68708 Entry time: Tue Dec 5 15:30:43 2017 Reply to this: 68709

Icon:

Author:

Christian Herzog

Author Email:

herzog@phys.ethz.ch

Category:

Question

OS:

Linux

ELOG Version:

ELOG V3.1.2

Subject:

possible DOS vulnerability with negative Content-Length field

Hi,

a routine scan revealed a possible DOS attack vector: sending an invalid POST HTTP request with a negative Content-Length field crashes our elog instance, leading to service unavailability.

thanks,

-Christian

-- 
Dr. Christian Herzog <herzog@phys.ethz.ch>  support: +41 44 633 26 68
IT Services Group, HPT H 8                    voice: +41 44 633 39 50
Department of Physics, ETH Zurich           
8093 Zurich, Switzerland                     http://nic.phys.ethz.ch/

ELOG V3.1.5-fe60aaf