Security researchers from TrustWave have explained how an endless 'for' loop resulted in a denial of service vulnerability that could allow attackers to launch DOS attacks against websites hosted on Apache Tomcat servers.
The vulnerability(CVE-2014-0050) is located in Apache Commons FileUpload file. The 'for' loop in the file is coded in such a way that it will be stopped by raising an exception or by returning a value.
An attacker can send a malformed 'Content-type' header for a multipart request which could result in an infinite loop.
Multipart is often used in HTTP request for uploading files. Values in the multipart requests are separated by a magic line called "boundary". Boundary is a random string which will be defined in the 'content-type' header.
By sending a boundary value longer than 4091 characters and 'body' longer than 4096 characters, the 'for' loop won't be stopped by both 'if' statement.
TrustWave researchers managed to send four times a request containing more than 4091 characters in the boundary field that forces vulnerable tomcat server into an infinite loop. As a result, the tomcat server will end up in consuming all available CPU resources until it is stopped.
