[Mapguide-trac] [mapguide-trac] #2199: Empty POST-Requests crashes IIS application pool
MapGuide Open Source
trac_mapguide at osgeo.org
Tue Dec 11 02:11:40 PST 2012
#2199: Empty POST-Requests crashes IIS application pool
-------------------------+--------------------------------------------------
Reporter: gBecker | Owner:
Type: defect | Status: new
Priority: medium | Milestone: 2.5
Component: Map Agent | Version: 2.4.0
Severity: major | Keywords:
External_id: |
-------------------------+--------------------------------------------------
When sending empty POST-requests to the mapagent
(http://localhost/mapguide/mapagent/mapagent.fcgi) the IIS application
pool stops working after reaching the maximum number of errors in a
specified time period (configured in advanced settings dialog of the
application pool). Default is 5 errors in five minutes. POST-requests with
any other data results at least in an error message or in a valid
response. This leaves the application pool staying alive.
In my opinion its a potential security risk becausa anyone can crash an
application pool by just doing a POST-request to the MapAgent.
In windows eventlogs the error is logged as of type WAS (Windows
Activation Service)
To reproduce the error simply do a post with no data to the mapagent. I
used cURL to do this:
curl -v "http://localhost/mapguide/mapagent/mapagent.fcgi" --request POST
--data "" --user Administrator:admin
As a solution it would be nice if the MapAgent could send a proper message
or errror back to the client, so that the application pool doesn't stop
working.
For further information on this see this [http://osgeo-
org.1560.n6.nabble.com/isapi-MapAgent-dll-crashes-MapGuideAppPool-
tt4183774.html thread]
--
Ticket URL: <http://trac.osgeo.org/mapguide/ticket/2199>
MapGuide Open Source <http://mapguide.osgeo.org/>
MapGuide Open Source Internals
More information about the mapguide-trac
mailing list