httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48509] New: Apache crashes when POSTing to apache and altering the conent-length
Date Fri, 08 Jan 2010 02:14:29 GMT

           Summary: Apache crashes when POSTing to apache and altering the
           Product: Apache httpd-2
           Version: 2.2.14
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_isapi

To reproduce: 
send a valid POST request to your ISAPI dll
start fiddler2 and copy the request to the 'Request Builder'
go to 'Request Builder'->'Options' and untick 'Fix Content-Length header'
go to 'Request Builder'->'Parsed' and manually change the 'Content-Length:' to
now press execute a few times fast, in my test Apache crashes after 1-10 clicks

when the post command is tampered with as above, the call to
ap_get_client_block in isapi_handler (sometimes?) fails.
as a result the isapi dll is unloaded - this is dangerous !! other threads
processing other requests have already acquired the pointer to the dll function
and now try to call it with the dll not in memory which crashes apache.

there is no reason to unload the isapi dll in isapi_handler, it is dagerous and
does not provide any benefit. In mod_isapi.c I have remarked all (2) calls to
isapi_unload and left only the one in cleanup_isapi which if I understand
correctly only gets called when Apache exits (although I think it can be
removed as well). In testing this solves the issue.

I can't see how a hacker can manipulate the address pointer but it's still a
fact that the server tries to jump to an invalid function pointer.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message