EOnline hasn’t turned off dynamic StoryServer pages
May 30, 2006E!Online has not turned off the feature in their Web publishing system that dynamically generates pages. In other words, it appears that somebody from a public url can force the EOnline system to dynamically generate a page instead of pulling the cached version of the page. That means it’s sucking up cycles from their application and database servers, which means a denial-of-service attack waiting to happen. Somebody could hit these dynamic pages enough to overload the application and database servers, effectively bringing their site down.
They use Vignette StoryServer (which is based on code written originally for CNET.com) to publish parts of their Web site such as their News section. It generates pages based on a URI structure that has four digits separated by commas, like this:
http://www.eonline.com/News/Items/0,1,19137,00.html
The second number (1 in this case) tells StoryServer which template to use, the third number indicates which content ID to pull from the database, and the fourth number is a “capabilities” field that almost always is left at the default of 00. But it’s the first number that’s the key–a zero in that first position tells StoryServer to use the cached version of the page, if available. If it isn’t in the cache then generate the page dynamically and cache it for the next request. Now if you change that initial 0 to a 1 instead:
http://www.eonline.com/News/Items/1,1,19137,00.html
That tells StoryServer to skip the cache and just generate the page dynamically. You’d use this feature in dynamic pages that can’t be cached, for example maybe a search page. But static text articles you should always use the cached (0) version.
Now if you hit the eonline page with the dynamic url, and then view source, you’ll see that the datestamp is always the current date. Reload the page, check the source, and you’ll get a new datestamp each time. It would appear that the page is being generated on the fly, which for this type of static news page it should not. They should have turned off dynamic pages for this particular path.
It’s surprising, given how old StoryServer is and how well-known this particular vulnerability is, that they would leave themselves open like this. There must be some other explanation for why they’re letting these pages be generated dynamically.