Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
Date: 27 Feb 2003 04:50:00 -0000
Message-ID: <20030227045000.11908.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 17462] New:  -
    mod_rewrite DoS

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17462>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17462

mod_rewrite DoS

           Summary: mod_rewrite DoS
           Product: Apache httpd-1.3
           Version: 1.3.27
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: mod_rewrite
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dariofg@ig.com.br


The following code on an .htaccess file

RewriteEngine On
RewriteBase /
RewriteRule ^(.*) /index.html

can get the httpd process REALLY busy. Just place it in the main directory, but 
it'll work in a subdirectory, in which case change the last line to

RewriteRule ^(.*) /subdir/index.html

The file index.html SHOULD NOT exist. Then call

http://yoursite.com/

or

http://yoursite.com/subdir/

and the browser window won't stop loading. On the server side, you'll get a 
pretty nasty httpd process using up a whole lot of CPU and memory. And if the 
URL is called a bunch of times, the server can lock up!

I did not experience the bug on Apache 2.0.40 (Red Hat 8.0 RPM install), only 
on 1.3.27, both compiled by hand and RH 7.3 RPM install.

-Dario Gomes

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org