httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [Vote] .htaccess logic abuse
Date Mon, 21 Nov 2011 16:19:18 GMT
On Fri, Nov 18, 2011 at 04:38:14PM -0600, William Rowe wrote:
> After several prods, it seems the security@ and hackathon participants
> can't be drawn out of their shells on to dev@.  So I'll simply call for
> a majority vote on the following statement...

Thanks for the prod!

> Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth;
> 
>   [ ]  Represents a security defect
>   [X]  Is not a security defect

I agree for resource consumption attacks.  I think there's still a good 
case for treating bugs which allow escalation of privileges as security 
issues (i.e. something which gets you from an .htaccess file to 
arbitrary code execution in the httpd child).

Regards, Joe

Mime
View raw message