httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Thu, 02 Oct 2014 21:06:05 GMT

Am 02.10.2014 um 22:36 schrieb Joe Orton:
> On Wed, Oct 01, 2014 at 02:16:17PM -0400, Eric Covener wrote:
>> The default handler (static file handler) is a fall-through, and there is
>> not currently a way to tell it NOT to respond for something because a
>> configured module unexpectedly passed control back.  It is a relatively
>> easy opt-in feature to add, but not something that is safe for a shipped
>> release to change by default.
> 
> The PHP SAPI doesn't handle any errors while reading request body data 
> (php_apache_sapi_read_post), which it should.  The result of that is 
> that the PHP script is executed as normal, and you get a 413 response 
> with the ErrorDocument first, then the script output.  
> 
> I can't see any more serious bug here, Reindl, we lack a working repro 
> case for dumping unprocessed source here.  Can you reproduce without 
> mod_security loaded/configured?  Something must be de-configuring the 
> mod_php handler, and I can't imagine how exactly that is happening

i need to modify several configurations to make mod_security
conditional and will give feedback as soon that has happened

is there any useful way in case of httpd-prefork to get an
strace showing what happens internally on non-debug builds?

maybe it's something obvious in the direction "why is B even
called after A"

however, control that by modsec gives you even the option to
select the status code without leak source code - if a module
can do that why not the core itself unconditional?


Mime
View raw message