The Butterfly Effect (2)

Antonio Fontes / Blog / Conseil / Communication / Genève / HEG / Intelligence et guerre économique / Management et sécurité de l'information / NTIC / Sécurité des applications web / Veille

<December 2008>
SuMoTuWeThFrSa
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910

Navigation

Subscriptions

Post Categories



Friday, October 15, 2004 - Posts

The server committed an HTTP protocol violation

The underlying connection was closed: The server committed an HTTP protocol violation.

Error reading URL: The underlying connection was closed: The server committed an HTTP protocol violation.
Please try to validate this feed. If this feed validates as correct RSS, you can send an error report.

If you use an RSS feeds agregator like SharpReader, SauceReader or FeedReader, this error might sound familiar to you. Here is an explanation on how to prevent this…

The issue

The HTTP header keys for example shoud specifically not include any spaces in their names. However, some web servers do not fully respect standards they’re meant to.

Applications running on the Dotnet framework and making heavy use of http requests usually use the “httpWebRequest” class, which encapsulates everything a web oriented developer could dream of. With all the recently issues related to security, the “httpWebRequest” class provides a self protection mechanism preventing it to accept HTTP answers which not fully qualify to the specifications.

The common case is having a space in the ‘content-length’ header key. The server actually returns a “content length” key, which, assuming no spaces are allowed, is considered as an attack vector (HTTP response split attack), thus, triggering a “HTTP protocol violation error” exception.

The workaround

It is possible since the 1.1 SP 1 DotNet version (UPDATE: see comments for instructions prior to version 1.1, credits to Krys Oye) to disable this error check. (Un)Fortunately, DotNet allows you to modify some parameters directly through a simple text configuration file, thus not requiring the user to have some strong developer skills.

I tested this on SharpReader and it immediatly unlocked all the ‘red’ feeds I had.

1. Create a file and name it like ‘yourapplication.extension.config‘. If for example you’re using SharpReader, then create a file named ‘SharpReader.exe.config‘.

2. Open this file with a notepad or any text-based editor and paste the following text in it:

<configuration>
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing="true" />
</settings>
</system.net>
</configuration>

*: Be carefull: if you already see that file in the folder, edit it, and only insert the missing sections in it. Do not try to reproduce a second ‘configuration’ area for example as it will invalidate that configuration file.

3. Save it, then restart your application. That should work now.

Thanks to…

This workaround was found on Gille’s weblog, thanks to him: I can keep my favourite SharpReader ;)

posted Friday, October 15, 2004 6:41 PM by saphyr with 4 Comments

DNS Error messages with Wordpress admin

There’s a bug in Wordpress which prevents administrators to return into the wp-admin zone. Many conditions are required but I think some information I give hereby could help locating the critical path to reproduce it and also help working around it til it gets fixed. Below is a copy of a message sent to Wordpress support some minutes ago…

----

Hi all !

Some people noticed that there might be problems entering into the administrative section of a WP enabled site. They often tend to end in a DNS ERROR message, typically provided by Internet Explorer.

I think I found some informations which might lead to this bug fix.

I recently began having similar errors: DNS timeout, DNS error, and so on. Even when turning off http friendly messages option off would produce the same error so I guessed that would not be really an ‘error’.

Web development security is my job so… I can say that those errors already happened to me in during many audits. There’s only one solution to find a bug like this: sniffing the packets and trapping all requests and replies coming from/going to the server. If you want to try this, you can install an http proxy tool such as Achilles or Paros (requiring Java VM installed on your workstation).

Here is what I got: requesting an administrative page access leads into an infinite “header location” calls (response redirects) between auth.php and the requested page.

I can’t precisely enough isolate and reproduce the error yet, but I (almost sure) know that it is related to one factor: I have multiple blogs running on the same domain (www.nxtg.net) and this happens when I did some stuff as an admin in one of my blogs, then tried to switch to another blog as an admin.

Reproduction path was not found yet, but I found the workaround:

- explicitely logout when finishing your admin stuff
or
- delete your cookies

One of those two actions will allow you to access the administrative pages again.

Finally, I think the error is located into the cookie path or information stored in it.

Hope this can help…BTW, great great great job you’re doing with WP!!!

Cheers, regards, and all stuff…

.antoine

----

posted Friday, October 15, 2004 6:40 PM by saphyr with 0 Comments




Powered by Dot Net Junkies, by Telligent Systems