Ticket #15 (defect)
Opened 3 years ago
Last modified 2 years ago
Yubnub's dispatch.cgi intercepts invalid requests
Status: new
| Reported by: | jpr@openidp.org | Assigned to: | jpr@openidp.org |
|---|---|---|---|
| Priority: | major | Keywords: | yubnub DoS performance config |
| Cc: |
It seems that Yubnub's dispatch.cgi processor is intercepting all URL requests even when they are invalid. This process is slow to return 404 errors. It may also overload the VM with dispatch.cgi processes if many requests are coming in. (Like from "helpful" web monitors looking for exploitable code.) This essentially degrades the performance to the point where it could be considered denial of service.
A workaround is needed.
Change History
07/27/07 13:39:03: Modified by jpr@openidp.org
07/27/07 14:46:03: Modified by jpr@openidp.org
Some extra detail for the record:
The problem is the use of the YubNub? command processor in the document root. What happens is that as redirects "pass through" the myVocs box the YubNub? config want's to grab all unrecognized URL paths. This disrupts the shibbolet flow. To work around this, rename dispatch.cgi in /var/www/myvocs-box/yubnub/ to something like dispatch.cgi-hide. This braeaks the YubNub? command line operation and produces an error when visiting the root url on myVocs box but this can be ignored for now. A proper fix is to move YubNub? to a sub-url.
Workaround: cd /var/www/myvocs-box; mv dispatch.cgi dispatch.cgi-disable