You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/06/03 11:12:15 UTC

[Bug 66102] New: IBM WebSphere "WASPostParam" Cookie Deserialization Denial of Service on HTTPD, Redhat

https://bz.apache.org/bugzilla/show_bug.cgi?id=66102

            Bug ID: 66102
           Summary: IBM WebSphere "WASPostParam" Cookie Deserialization
                    Denial of Service on HTTPD, Redhat
           Product: Apache httpd-2
           Version: 2.4.53
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: All
          Assignee: bugs@httpd.apache.org
          Reporter: anubhavp@cdot.in
  Target Milestone: ---

Created attachment 38310
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=38310&action=edit
Cookie File

(Apache)HTTPD Version : 2.4.53
Redhat Version : 8.1
PHP version : 7.4.28


We have a critical vulnerability being reported at a website handled by us. The
bug states that the "The application deserializes serial objects in an insecure
manner" when a GET request along with a cookie named "WASPostParam" is sent to
the server. After receiving the request from our server creates a TCP
connection and waits in "FIN_WAIT" state, but there is no response from the
server side and after the timeout of TCP connection the Postman application
states that "Could not get a response from the server". We are using Postman
application for sending the request. I have attached the cookie file, our
httpd.conf and screenshots stating our vulnerability.
Kindly see the attachment for the files related to the problem and suggest the
possible solution.


Thanks & Regards
Anubhav

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66102] IBM WebSphere "WASPostParam" Cookie Deserialization Denial of Service on HTTPD, Redhat

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66102

--- Comment #2 from anubhav <an...@cdot.in> ---
I have stopped the drupal flow, i.e u have tested it with only index.html but
again I faced the same issue

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66102] IBM WebSphere "WASPostParam" Cookie Deserialization Denial of Service on HTTPD, Redhat

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66102

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Eric Covener <co...@gmail.com> ---
If there's a problem deserializing this cookie, it's not in httpd.  httpd
doesn't do anything but forward the [serialized] value to the application
server.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org