All, An institutional vulnerability scan crashed 4D/Active4D last night. We have A4D behind Apache, but based on my access logs and the 4D crash report it looks like the scan my have passed in a query parameter that gets base46 decoded. Here's the first part of the crash thread:
Thread 15 Crashed: 0 libSystem.B.dylib 0x926a94fe __semwait_signal_nocancel + 10 1 libSystem.B.dylib 0x926a93e2 nanosleep$NOCANCEL$UNIX2003 + 166 2 libSystem.B.dylib 0x927242aa usleep$NOCANCEL$UNIX2003 + 61 3 libSystem.B.dylib 0x927459c8 abort + 105 4 icu 0x1bd5ff5d 0x1bc01000 + 1437533 5 icu 0x1bd11bc4 u_UCharsToChars_4_2 + 126 6 com.aparajita.Active4D 0x1d84c6f3 plugin::crypto::base64Decode(plugin::Variable4D const&, char*&, unsigned long&) + 167 7 com.aparajita.Active4D 0x1d8e8aa4 plugin::a4d::runtime::base64Decode(plugin::a4d::Interpreter&, void*) + 958 8 com.aparajita.Active4D 0x1d85d101 plugin::a4d::Interpreter::handleMethod(plugin::a4d::Interpreter::IdentifierInfo const&) + 149 9 com.aparajita.Active4D 0x1d85d611 plugin::a4d::Interpreter::handleIdentifier(bool, plugin::a4d::EToken&) + 279 10 com.aparajita.Active4D 0x1d860e8e plugin::a4d::Interpreter::primary() + 1582 11 com.aparajita.Active4D 0x1d85fe58 plugin::a4d::Interpreter::expression() + 188 12 com.aparajita.Active4D 0x1d8bd093 plugin::a4d::Interpreter::getTextExpression() The scan would have passed in text that would not have be base64 decode-able. They were trying to inject Javascript via a query parameter. I have not been able to replicate the crash, but am wondering if I should filter untrusted input before passing it to base64 decode? If so does anyone have a regex to use as a filter? Aparajita, If I can isolate a crash test case I'll file a bug report. -- Brad _______________________________________________ Active4D-dev mailing list [email protected] http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/
