httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44880] New: Program Apache 1.3.33 and before, for Windows systems, does not properly ignore certain characters that are received over a “? ” in URL, which could allow remote attackers to cause a denial of service.
Date Sat, 26 Apr 2008 10:39:10 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44880

           Summary: Program Apache 1.3.33 and before, for Windows systems,
                    does not properly ignore certain characters that are
                    received over a “?” in URL, which could allow remote
                    attackers to cause a denial of service.
           Product: Apache httpd-1.3
           Version: 1.3.33
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_log_config
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jean-francois.leclerc@orange.fr


Hello,

Maybe I discover vulnerability in apache server web. So, when I try to inject
some characters in url, Escape_log translate this in access.log except before
the injection begin by a “?”, for example: “http://host/?<?.......”. 
But, next to the “?” if I try to pass some hexadecimal characters, like
\x0A the processor may be running at 100% and memory take over 1 Go.  During
the problem, if I try again to inject some character behind a “?”, nothing
is written in access.log and nothing happens.

What's happens ?

Regards

Jean-François LECLERC

NB : Sorry for the second mail, but the first, I'm not logged in and I send
email from my messenger and not from the website.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message