('binary' encoding is not supported, stored as-is) In-Reply-To: <001901c228f4$c963fe20$e62d1c41at_private> BadBlue (and all vendors who wrote ISAPI extensions with MFC) should recompile with Visual Studio 6.0 SP4 or later. There were serious problems with many ISAPI extensions built with earlier versions of the MFC libraries. 2 problems are documented in Microsoft KB articles: ISAPI DLLs That Are Built with MFC Static Libraries Are Vulnerable to Denial of Service Attacks (Q310649) http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q310649 and FIX: Access Violation in MFC ISAPI with Large Query String (Q216562) http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q216562 -Chris >Systems Affected: All ISAs written using MFC ISAPI framework >Issue: User-input length values can result in a buffer overflow. >Risk: Critical >Scope: Remote Server Compromise > >The MFC ISAPI framework is widely used to build ISAs that >run on a multitude of web servers. > >It has been discovered that the framework relies on user-input >values for request member lengths, making it prone to a buffer >overrun attack. > >When I downloaded my copy of the BadBlue PWS and began >to test its bizarre "ext.dll" module for vulnerabilities, I found that >a specially malformed POST request:
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 19:11:58 PDT