httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 22030] - SECURITY: 4097+ bytes of stderr from cgi script causes script to hang
Date Wed, 10 Sep 2003 19:35:25 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030

SECURITY: 4097+ bytes of stderr from cgi script causes script to hang

bbb@cpan.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bbb@cpan.org
           Priority|Other                       |High
            Summary|4097+ bytes of stderr from  |SECURITY: 4097+ bytes of
                   |cgi script causes script to |stderr from cgi script
                   |hang                        |causes script to hang



------- Additional Comments From bbb@cpan.org  2003-09-10 19:35 -------
This DoS vulnerability has been tickin me off for two months now. 
The CGI is blocked on a write() to stderr trying so hard to shove the packet 
down Apache's throat and httpd is blocked waiting for something from the CGI's 
stdout, which will never happen until that stderr is consumed, which also 
never happens. 
My system gets hundreds of processes with httpd and the CGI script deadlocked 
with each other because if this issue.  I have to restart apache regularly to 
avoid grinding the server to a pulp from wasted processes or "Out of memory" 
errors. But mostly it just reaches MaxClients all the time which prevents new 
hits from being allowed (thus creating a DoS on my machine). 
I'm surprised mod_cgi was already known to be borked in this way and not 
repaired yet in the cvs source tree. 
Anyone with cvs write access to the httpd repository, I'm begging you to try 
to fix this. 
 
I bricked over modules/generators/mod_cgi.c with Jeff Trawic's version: 
 
http://www.apache.org/~trawick/mod_cgi.c 
 
And suddenly all the problems vanished on my linux box.  Thank you Jeff! 
 
Is there any reason why this is not incorporated into the httpd trunk source 
tree?  Does it break non *NIX platforms?  If so, would it be appropriate to at 
least do something like the following: 
 
#ifdef LINUX 
(new version) 
#endif 
#ifndef LINUX 
(old version) 
#endif 
 
Rolling back to Apache 1.3.28 also eliminates all these problems, but I cannot 
keep running 1.3.x because I need to use the new version of mod_php which is 
not supported as well on the old apache.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message