Vulnerability II

Back

This vulnerability appeared on Bugtraq.

Problem

By sending a request with a filename containing very many slash signs, in the order of hundreds of thousands, the server starts taking very much CPU time and for all appears frozen.

Versions

Vulnerable are Compieuw and Compieuw.1 and possibly earlier versions. Fixed in Compieuw.2

Description of the fix

The URL in a request is now limited to 260 characters, which is the maximum file path length on Windows. This amount of characters is not enough to freeze the server for a significal amount of time.

As a result of the fix, you can not create virtual folders with very long names, that map to real folders with short names.