Friday March 3, 2006
Patch against monopd 0.9.3 DOS attack bug
- Posted by Rob (#1) on March 3, 2006 11:05 CET
Luigi Auriemma reported a security bug in monopd 0.9.3 which could result in a denial of service by extraneous resource consumption:
The Monopd server makes the string replacement (escapeXML) of some chars in the input data of the client for avoiding the manipulation of its XML output.
The problem is that the replacing of the bad chars takes many CPU and memory if the string is too long (over 15000 chars) so any client in the server will not be able to play and join during the attack.
I have written a proof-of-concept for testing the bug:
A fix against this DOS attacks is available in the form of a patch against monopd 0.9.3, from the Atlantik and monopd download page. It limits the amount of characters accepted from user input involving strings (player names and token images, game descriptions).
- PermaLink: Patch against monopd 0.9.3 DOS attack bug (8 comments)
- Tags: security, monopd, patch
- Post comment
Hard-Fi preview
- Posted by Rob (#1) on March 3, 2006 20:36 CET
I knew Hard-Fi is a teenie band but I did not expect an audience this young! Perky half developed boobs, confused parents and first time alcoholism all around! Oh wait there's someone my age.. behind the bar that is! Maybe I should pretend that bracelets are dental piercings, otherwise the view won't be thrilling tonight. Sigh, I should just stand with the old folk at the back shouldn't I?
- PermaLink: Hard-Fi preview
- Tags: Hard-Fi
- Post comment