Fast-CGI standard not being implemented correctly for FCGI_GET_VALUES #1240
Comments
|
Could you maybe give some instructions how to reproduce it so we can make
it easy for ourselves to improve the product? One thing we currently don't
do is keeping a presistent connection with an FastCGI backend. This is
also something that might have to be implemented.
|
|
Hi Stefan, I have a production servlet named "hacker_intercept", whose function is to handle any requests leftover from legitimate URL requests, and block IPs of hackers. It started crashing occasionally. After analysing the stack trace, I figured it was because my Fast-CGI implementation was incomplete. So I changed the code to drop the connection for any unsupported record types and log what the type was. By monitoring the servlet log I found the trouble originated from a management request FCGI_GET_VALUES_RESULT. By looking at the next recorded hack attempt and comparing with the cherokee.access log, it seems that the request that caused the application value request was most likely the following: 500 is "internal server error" so that is most likely it. There is some discussion about this attack on stack overflow and else where. It might give a clue on how to reproduce the behavior. |
I am using Cherokee Web Server version 1.2.101 and noticed recently that my Fast-CGI application broker is receiving requests with the record type set to FCGI_GET_VALUES_RESULT. According to section 4.1. FCGI_GET_VALUES, FCGI_GET_VALUES_RESULT of the Fast-CGI standard, this should not be happening.
The text was updated successfully, but these errors were encountered: