Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   possible DOS vulnerability with negative Content-Length field, posted by Christian Herzog on Tue Dec 5 15:30:43 2017 
    icon2.gif   Re: possible DOS vulnerability with negative Content-Length field, posted by Stefan Ritt on Wed Dec 6 13:34:56 2017 
Message ID: 68709     Entry time: Wed Dec 6 13:34:56 2017     In reply to: 68708
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Question  OS: Linux  ELOG Version: ELOG V3.1.2 
Subject: Re: possible DOS vulnerability with negative Content-Length field 

I have fixed this issue in the current develop branch of elog.

Stefan

Christian Herzog wrote:

Hi,

 

a routine scan revealed a possible DOS attack vector: sending an invalid POST HTTP request with a negative Content-Length field crashes our elog instance, leading to service unavailability.

 

thanks,

-Christian

 

 

-- 
Dr. Christian Herzog <herzog@phys.ethz.ch>  support: +41 44 633 26 68
IT Services Group, HPT H 8                    voice: +41 44 633 39 50
Department of Physics, ETH Zurich           
8093 Zurich, Switzerland                     http://nic.phys.ethz.ch/

 

 

ELOG V3.1.5-3fb85fa6