httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48509] New: Apache crashes when POSTing to apache and altering the conent-length
Date Fri, 08 Jan 2010 02:14:29 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48509

           Summary: Apache crashes when POSTing to apache and altering the
                    conent-length
           Product: Apache httpd-2
           Version: 2.2.14
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_isapi
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ricemaster@fastem.com


To reproduce: 
-------------
send a valid POST request to your ISAPI dll
start fiddler2 and copy the request to the 'Request Builder'
go to 'Request Builder'->'Options' and untick 'Fix Content-Length header'
go to 'Request Builder'->'Parsed' and manually change the 'Content-Length:' to
1
now press execute a few times fast, in my test Apache crashes after 1-10 clicks


Reason:
-------
when the post command is tampered with as above, the call to
ap_get_client_block in isapi_handler (sometimes?) fails.
as a result the isapi dll is unloaded - this is dangerous !! other threads
processing other requests have already acquired the pointer to the dll function
and now try to call it with the dll not in memory which crashes apache.

Solution:
---------
there is no reason to unload the isapi dll in isapi_handler, it is dagerous and
does not provide any benefit. In mod_isapi.c I have remarked all (2) calls to
isapi_unload and left only the one in cleanup_isapi which if I understand
correctly only gets called when Apache exits (although I think it can be
removed as well). In testing this solves the issue.

Security
--------
I can't see how a hacker can manipulate the address pointer but it's still a
fact that the server tries to jump to an invalid function pointer.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message