Vulnerability in EPiServer.Forms
I have compared the header results from two web servers, one running EPiSerrver and the other one running EPiServer CMS 5 and it seems like CMS 5 sends "connection: close" in 304 (not modified) headers which EPi 4 doesn't.
Is this correct and is there a way to turn it off in CMS 5?
Its not correct and not something we do on purpose. I have tried to reproduce it but I can't.
Which version of EPiServer CMS?Which operating system and service pack ?Which .NET version and service pack ?Which type of requests, is it everthing or just pages or just images in some folders or.. ?Any third-party plugins installed ?
EPiServer 5.1.422.122Windows 2003 32-bit standard edition, SP2.NET 2.0 SP1, .NET 3.0 SP1 and .NET 2.0 Ajax extensions 1.0StarCommunity 3 & StarMail
I get this problem on all static content (like CSS, JS, Pictures etc) when the server returns a 304 not modified header.
HTTP/1.x 304 Not ModifiedConnection: closeDate: Thu, 25 Sep 2008 05:53:23 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETX-AspNet-Version: 2.0.50727Cache-Control: private
I have this problem on several EPi 5 sites.
Ok - I can reproduce it and have created a bug (#14668), thanks for reporting this. It looks like ASP.NET or IIS is closing the connection when Content-Lenght is not set.
This is only a problem on Windows Server 2003/IIS 6, I cannot reproduce it on Windows Server 2008/IIS 7.
Ok, thanks for verifying this.Do you think there will be a fix in the near future?
It will be fixed in the next version which should be SP1 for EPiServer CMS 5 R2. I really can't say when but I am guessing within a few months from now.
Will this be solved within a near future?
This bug has been fixed and tested.
The SP1 update is going into a testing and stabilization phase later this week. Usually we need a month for this phase to complete.