httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jess M. Holle" <je...@ptc.com>
Subject Re: Fwd: Apache DSO bug caused DoS
Date Mon, 28 Apr 2003 14:44:03 GMT
So does this issue only apply if one has enabled mod_php?

--
Jess Holle

William A. Rowe, Jr. wrote:

>Jez,
>
>  thank you for your report.  This is just a confirmation that we have
>forwarded the incident to our security team @httpd.apache.org, for
>investigation.
>
>Yours,
>
>Bill
>
>  
>
>>From: "jez humble" <jez@india.com>
>>To: security@apache.org
>>Date: Fri, 25 Apr 2003 08:54:14 +0000
>>Subject: Apache DSO bug caused DoS
>>
>>Hiya.
>>
>>We've been having a problem on our server which I think is due to this bug:
>>
>>http://bugs.php.net/bug.php?id=19113
>>
>>A host was repeatedly trying to CONNECT to our host in an attempt to relay spam, and
was getting back a copy of our homepage (and the response 200 OK) every time they did so.
This rapidly maxed out our database and caused a denial of service.
>>
>>Once I'd inserted the following line into httpd.conf
>>
>><Location />
>> <Limit CONNECT>
>>   Order deny,allow
>>   Deny from all
>> </Limit>
>></Location>
>>
>>the problem was resolved (apache now returns code 403). However since this type of
attack seems extremely common, I think this could be a very serious problem.
>>
>>Thanks,
>>
>>Jez Humble.
>>-- 
>>______________________________________________
>>http://www.india.com
>>Now with POP3/SMTP access for only US$14.95/yr
>>
>>Powered by Outblaze
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: security-unsubscribe@apache.org
>>For additional commands, e-mail: security-help@apache.org
>>    
>>


Mime
View raw message