httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Fwd: Apache DSO bug caused DoS
Date Fri, 25 Apr 2003 20:59:07 GMT
Jez,

  thank you for your report.  This is just a confirmation that we have
forwarded the incident to our security team @httpd.apache.org, for
investigation.

Yours,

Bill

>From: "jez humble" <jez@india.com>
>To: security@apache.org
>Date: Fri, 25 Apr 2003 08:54:14 +0000
>Subject: Apache DSO bug caused DoS
>
>Hiya.
>
>We've been having a problem on our server which I think is due to this bug:
>
>http://bugs.php.net/bug.php?id=19113
>
>A host was repeatedly trying to CONNECT to our host in an attempt to relay spam, and was
getting back a copy of our homepage (and the response 200 OK) every time they did so. This
rapidly maxed out our database and caused a denial of service.
>
>Once I'd inserted the following line into httpd.conf
>
><Location />
>  <Limit CONNECT>
>    Order deny,allow
>    Deny from all
>  </Limit>
></Location>
>
>the problem was resolved (apache now returns code 403). However since this type of attack
seems extremely common, I think this could be a very serious problem.
>
>Thanks,
>
>Jez Humble.
>-- 
>______________________________________________
>http://www.india.com
>Now with POP3/SMTP access for only US$14.95/yr
>
>Powered by Outblaze
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: security-unsubscribe@apache.org
>For additional commands, e-mail: security-help@apache.org



Mime
View raw message