http://mivo.truxoft.com
MIVO!
miva beyond limits

MIVA^®  SECURITY: Insecure Miva Templates #3

by Ivo Truxa, 03/13/2000

Form macro attack / URL macro attack / MvCALL DoS attack

Please read an introduction to the templates vulnerability series in the first article.

MvCALL DoS Attack

This is just a DoS (Denial of Service) kind of attack and therefore not as dangerous as the previous two macro attacks. However, it can be serious enough if somebody keeps your server or PC out of service for hours or days.

MvCALL command has no built-in security for recursive calls of the originating URL. Even with such security, it would be still possible to take two different URLs and let them kill each other.

How does it work?

Run your analyzelinks.mv script, copy and past the following URL several times in the form:
http://127.0.0.1/templates/analyzelinks.mv?callurl=

Copied 10 times? Mia opens 10 threads. Copied 100 times? If your system did not break down, it comes back in few minutes. Try more.

There could be a worse case! I have seen scripts (not in the templates!) with a MvCALL command, where you can inject just a single URL (without copying it more times) and the script falls in a recursive loop calling itself and opening very quickly new threads until the system breaks down.

Yes, you are right - there is a MvCALL timeout. Unfortunately it does not help at all in these cases!

Take Care!

top

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2008