https://bz.apache.org/bugzilla/show_bug.cgi?id=66102
Bug ID: 66102
Summary: IBM WebSphere "WASPostParam" Cookie Deserialization
Denial of Service on HTTPD, Redhat
Product: Apache httpd-2
Version: 2.4.53
Hardware: Other
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: anubhavp@cdot.in
Target Milestone: ---
Created attachment 38310
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38310&action=edit
Cookie File
(Apache)HTTPD Version : 2.4.53
Redhat Version : 8.1
PHP version : 7.4.28
We have a critical vulnerability being reported at a website handled by us. The
bug states that the "The application deserializes serial objects in an insecure
manner" when a GET request along with a cookie named "WASPostParam" is sent to
the server. After receiving the request from our server creates a TCP
connection and waits in "FIN_WAIT" state, but there is no response from the
server side and after the timeout of TCP connection the Postman application
states that "Could not get a response from the server". We are using Postman
application for sending the request. I have attached the cookie file, our
httpd.conf and screenshots stating our vulnerability.
Kindly see the attachment for the files related to the problem and suggest the
possible solution.
Thanks & Regards
Anubhav
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 66102
Summary: IBM WebSphere "WASPostParam" Cookie Deserialization
Denial of Service on HTTPD, Redhat
Product: Apache httpd-2
Version: 2.4.53
Hardware: Other
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: anubhavp@cdot.in
Target Milestone: ---
Created attachment 38310
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38310&action=edit
Cookie File
(Apache)HTTPD Version : 2.4.53
Redhat Version : 8.1
PHP version : 7.4.28
We have a critical vulnerability being reported at a website handled by us. The
bug states that the "The application deserializes serial objects in an insecure
manner" when a GET request along with a cookie named "WASPostParam" is sent to
the server. After receiving the request from our server creates a TCP
connection and waits in "FIN_WAIT" state, but there is no response from the
server side and after the timeout of TCP connection the Postman application
states that "Could not get a response from the server". We are using Postman
application for sending the request. I have attached the cookie file, our
httpd.conf and screenshots stating our vulnerability.
Kindly see the attachment for the files related to the problem and suggest the
possible solution.
Thanks & Regards
Anubhav
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org