Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CB571174B7 for ; Thu, 2 Oct 2014 21:06:36 +0000 (UTC) Received: (qmail 76843 invoked by uid 500); 2 Oct 2014 21:06:33 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 76782 invoked by uid 500); 2 Oct 2014 21:06:33 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 76745 invoked by uid 99); 2 Oct 2014 21:06:33 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 21:06:33 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of h.reindl@thelounge.net designates 91.118.73.15 as permitted sender) Received: from [91.118.73.15] (HELO mail.thelounge.net) (91.118.73.15) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 21:06:06 +0000 Message-ID: <542DBE3D.20004@thelounge.net> Date: Thu, 02 Oct 2014 23:06:05 +0200 From: Reindl Harald Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: MAJOR SECURITY-PROBLEM Apache 2.4.6 References: <5236F207.6010906@thelounge.net> <542C3464.4040708@thelounge.net> <20141002203608.GA15803@redhat.com> In-Reply-To: <20141002203608.GA15803@redhat.com> OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="p3GfaK1o6IODSsW54GECcFS7xEsURFXMC" X-Virus-Checked: Checked by ClamAV on apache.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --p3GfaK1o6IODSsW54GECcFS7xEsURFXMC Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Am 02.10.2014 um 22:36 schrieb Joe Orton: > On Wed, Oct 01, 2014 at 02:16:17PM -0400, Eric Covener wrote: >> The default handler (static file handler) is a fall-through, and there= is >> not currently a way to tell it NOT to respond for something because a >> configured module unexpectedly passed control back. It is a relativel= y >> easy opt-in feature to add, but not something that is safe for a shipp= ed >> release to change by default. >=20 > The PHP SAPI doesn't handle any errors while reading request body data = > (php_apache_sapi_read_post), which it should. The result of that is=20 > that the PHP script is executed as normal, and you get a 413 response=20 > with the ErrorDocument first, then the script output. =20 >=20 > I can't see any more serious bug here, Reindl, we lack a working repro = > case for dumping unprocessed source here. Can you reproduce without=20 > mod_security loaded/configured? Something must be de-configuring the=20 > mod_php handler, and I can't imagine how exactly that is happening i need to modify several configurations to make mod_security conditional and will give feedback as soon that has happened is there any useful way in case of httpd-prefork to get an strace showing what happens internally on non-debug builds? maybe it's something obvious in the direction "why is B even called after A" however, control that by modsec gives you even the option to select the status code without leak source code - if a module can do that why not the core itself unconditional? --p3GfaK1o6IODSsW54GECcFS7xEsURFXMC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQtvj0ACgkQhmBjz394AnlN7gCfftoGuuF7XpDqASChonVWrQzs WjcAn37FgNO8TUfgfRor0XyWF8pbzCFU =/uSX -----END PGP SIGNATURE----- --p3GfaK1o6IODSsW54GECcFS7xEsURFXMC--