[Seaside] [BUG][TEST] Seaside Security Issue

[Lukas Renggli]

Hi Avi,

we discovered a security issue with Seaside, that makes it possible to 
crash any Squeak-VM from the web.

Using the web-application in ssi.mcz it is possible to crash the Unix, 
the Carbon and the Windows VM. Clicking on the button in this 
application will start a longer-lasting task, in this example it is 
just delay of several seconds. The longer the task the easier to 
reproduce the problem, but it is also possible with much shorter 
delays. As web-browser you *have to use Internet Explorer*, as this is 
the only browser we know that is sending multiple requests when 
submitting the same form several times. To crash Squeak, simply click a 
lot onto that button in short intervals (do not wait until the page 
refreshes) and the VM will suddenly disappear ...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SSI-lr.1.mcz
Type: application/octet-stream
Size: 1054 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20031001/848d2cfe/SSI-lr.1.obj
-------------- next part --------------


If you'd like to see what happens inside the image, open a Process 
Browser and turn the auto-update on. You will see that the requests are 
scheduled and WAProcessMonitor is waiting the other requests to finish. 
After a certain time-out WAProcessMonitor tries to terminate the 
request currently running. Probably several instances try to do that at 
the same time and the image crashes ... Well, this is not really a good 
explanation, this is just what we found out.

Cheers,
Lukas

-- 
Lukas Renggli
http://renggli.freezope.org