Mailing List Archive

[Bug 66102] New: IBM WebSphere "WASPostParam" Cookie Deserialization Denial of Service on HTTPD, Redhat
https://bz.apache.org/bugzilla/show_bug.cgi?id=66102

Bug ID: 66102
Summary: IBM WebSphere "WASPostParam" Cookie Deserialization
Denial of Service on HTTPD, Redhat
Product: Apache httpd-2
Version: 2.4.53
Hardware: Other
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: anubhavp@cdot.in
Target Milestone: ---

Created attachment 38310
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38310&action=edit
Cookie File

(Apache)HTTPD Version : 2.4.53
Redhat Version : 8.1
PHP version : 7.4.28


We have a critical vulnerability being reported at a website handled by us. The
bug states that the "The application deserializes serial objects in an insecure
manner" when a GET request along with a cookie named "WASPostParam" is sent to
the server. After receiving the request from our server creates a TCP
connection and waits in "FIN_WAIT" state, but there is no response from the
server side and after the timeout of TCP connection the Postman application
states that "Could not get a response from the server". We are using Postman
application for sending the request. I have attached the cookie file, our
httpd.conf and screenshots stating our vulnerability.
Kindly see the attachment for the files related to the problem and suggest the
possible solution.


Thanks & Regards
Anubhav

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org