httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Toadie <toadie...@gmail.com>
Subject protocol for reporting bug that 'may' be considered exploit
Date Tue, 30 Jun 2009 04:10:42 GMT
Hello,

I think we may have discovered an issue with mod_proxy that 'could' be
used as an exploit to render an Apache server useless.  I normally
report more benign bugs via the normal bug reporting interface.
However, this one bug is quite easy to create an exploit for so I am
looking for guidance on how to report this issue.  Should I report
this on the apache bug tool (which will make this info publicly
available) ?

What I have so far

1. a confirmed repro of the bug
2. a general area where we think the offending line in the code is
causing the problem
3. attempted to fix the bug and created a patch but to no avail (we
aren't familiar with the apr* modules and various ap* functions.)

In addition I have scanned through the bug DB and found several
instances of similar symptoms that we have observed around issues with
mod_proxy.  None of the bug a repro. I believe we could have found a
repro case that consistently causes a lockup in Apache.

Because of the sensitivity of this bug and its relative ease to craft
an exploit, let me know how to proceed.  We are willing to work with
one or more individuals on the apache team who are familiar with the
code to repro and test one or more patches.

If the normal procedure is to report the bug via the Apache bug db,
please let me know.

Thanks in advance.

PS: During our discovery, we also found another bug but it's more
benign and I will file it as a separate bug

Mime
View raw message