httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Wed, 01 Oct 2014 18:52:04 GMT

Am 01.10.2014 um 20:36 schrieb Eric Covener:
> On Wed, Oct 1, 2014 at 2:24 PM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
> 
>     i don't know what happens internally
> 
> ‚ÄčThat's what's on-topic for the development list

agreed - but ship source code to a client is serious and
in that case easily controlled by any client with enough
upstream to send some 100 MB of data to a specific URL

in case of open source systems with known config paths it
reverses the option to the opposite of admins intention

>     just that "SecRequestBodyLimit" opens a large security hole
>     because on just needs to send large data to any script
>     on the server to get the source, even scripts only
>     working as includes and contain credentials
> 
>     IMHO if a restriciton like "SecRequestBodyLimit" is triggered
>     any output should be thrown away and the error handler called
>     delivering the 403 default error page
> 
> I think you mean LimitRequestBody

indeed - sorry - that's the modsec value working as expected

> I don't think anyone has done enough homework to see what goes wrong under
> mod_php to see if a change to LimitRequestBody is needed.  It currently 
> detects the size breach and returns an error to whoever is reading the body. 
> In other words handlers have access to all kinds of filter errors, 
> so changes there are intrusive

agreed - sorry that i can't do the needed homework


Mime
View raw message