httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@covalent.net>
Subject Re: DoS on POSTS
Date Sat, 27 Oct 2001 17:14:42 GMT
From: "Jon Travis" <jtravis@covalent.net>
Sent: Saturday, October 27, 2001 1:24 AM


> Like I said in my follow up post to my original, you don't even
> need to post the data to actually have this occur.  I telneted
> to the server, and let it sit there for like 47 minutes before
> I killed it.  I never had it time out.

Requesting this;

POST /cgi-bin/printenv.pl HTTP/1.1
Content-Length:80
Host:localhost

and stalling, I get a 5 minute pause, followed by;

HTTP/1.1 200 OK
Date: Sat, 27 Oct 2001 16:55:02 GMT
Server: Apache/2.0.27-dev (Win32) DAV/2 mod_ssl/3.0a0 OpenSSL/0.9.6b
Content-Length: 1553
Connection: close
Content-Type: text/plain; charset=ISO-8859-1

[content snipped]

Now that's not pretty.  Why are we returning 200 when the input is insufficient
for properly handling the request???  We strip the content-length, so the cgi
wouldn't know what to expect; it can't handle the error itself!!!

Correction, we don't strip the content length ???

Jon, try from CVS head, I suspect the timeout may have been fixed since you
first observed this behavior.  As for other unacceptable behaviors, well...

Thoughts anyone?  I'd expect such a request to 400 out.

Bill



Mime
View raw message