httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 44880] Program Apache 1.3.33 and before, for Windows systems, does not properly ignore certain characters that are received over a “? ” in URL, which could allow remote attackers to cause a denial of service.
Date Sat, 26 Apr 2008 12:39:36 GMT

Jean François LECLERC <> changed:

           What    |Removed                     |Added
                 CC|                            |jean-
                   |                            |
             Status|NEEDINFO                    |ASSIGNED

--- Comment #2 from Jean François LECLERC <>  2008-04-26
05:39:36 PST ---
I don't have more information. Only I know,\x0A (it's a
"\n") cause a DoS (processor at 100% and RAM increased). 

Maybe there's a link with access.log and particulary ap_log_rerror function,
because use a "?" character in the url prevents to use this function (translate
url to unicode character before written event in access.log). so when I try
hexa characters in url (cause the DoS) and I try a new url with a ? and more,
for example :<?%20echo%20"bonjour";%20?> no event is written
in access.log during the DoS, when it's stopped, the events will be written

With http server apache 2.2, Apache add a "\" before \x0A, the result becomes
\\x0A in access.log and don't cause many problem

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message