This page tells you how to use URL Rewriting to try to block cookie buffer overflow attacks on the Tango Application server and old versions of Witango 5.
The instructions assume that you're running Microsoft IIS.
But the same concept will work with other web servers.
Sending a very long cookie to Tango 2000 can crash your server.
With a bit of cunning hackery, people can take over your server and make it do mean things.
Move your applications to a the latest version of Witango 5. You can buy one from our friends at With Enterprises.
Alternatively, catch requests with long cookies before they get to your Tango server.
IIS allows you to install third-party plugins (called ISAPI Filters) which can change requests before it processes them.
We can use an ISAPI Filter to rewrite the URLs of suspicious requests so that IIS sends them somewhere other than Tango.
The simplest way is to send them to a made-up HTML page, like "/tango_buffer_overflow_exploit.html".
If you want immediate warnings of attacks, you might want to make a special CGI script and redirect them to that instead.
RewriteEngine On ########################################################################### # # Rule to block Tango cookie buffer overflow exploit # Apply this rule to any request containing a cookie 128 bytes long, including the name. # Rewrite anything containing a Tango extension then the end of the string, or a question mark. # NB If your server lets Tango respond to other URLs, you should include those as well. RewriteCond %{HTTP_COOKIE} .*[^;]{128}.* RewriteRule (.*)\.(taf$|taf\?|tml$|tml\?|thtml$|thtml\?)(.*) /tango_buffer_overflow_exploit.html [L] # If you're really paranoid, use # RewriteRule .* /tango_buffer_overflow_exploit.html # ...to block oversized cookies for all requests. # ###########################################################################
It should no longer be possible to send excessively large cookies to your Tango server.
Requests without excessively large cookies, or requests for pages other than .taf, .tml and .thtml, should be unaffected.
If it fails on either of those counts, please let me know.
ISAPI URL rewriting is also offered by ISAPIRewrite.
If you're using Apache, you can do the same thing (and much more) with the original ModRewrite.