httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Purl Gurl <>
Subject Re: [users@httpd] Re: Bug Versions 1.3.28/29 Fixed In 1.3.31 Or Not?
Date Tue, 18 May 2004 14:55:22 GMT
Joshua Slive wrote:
> Purl Gurl wrote:

> > My personal opinion is Apache needs a hook method to
> > allow administrators to control results of request
> > methods.
> Apache already has a very comprehensive ability to hook
> into various request methods.

Yes, and Apache does not have an ability to hook into
many request methods, some industry standard, some
not yet industry standard.

Apache's ability to hook some request methods does not
excuse it lack of ability to hook other request methods.
Not all request methods nor response codes need to be
hooked. However, disallowed request methods do need
to be hooked, specifically a 414 response.

For request methods which are not allowed, Apache should
return a 405, method not allowed, rather than a 414 error.

For WebDav, the first data to hit is "SEARCH" which is a
disallowed method, next kilobytes of garbage. A disallowed
method should take precedence over URI length.

> And what should apache do with the requests if they are blocked by IP?

What it currently does; 403 Forbidden. Simple, yes?

Use of ip address blocking should be global and take precedence
over all other transaction functions.

Currently Apache allows some ip address blocking and does not
allow ip blocking when it is really needed. That is a bug.

> As we both agree, it shouldn't just be dropping the connection.

I would rather drop the connection as do high end firewalls.

When a person is trying to hack my server, I don't care if
they are dropped, left hanging for an hour or if his monitor
blows up in his face, which is what I would like to happen.

Hackers, script kiddies, other idiots of the genre, do not
deserve to have an appropriate http transaction response,
they deserve to have their fingers smashed with a hammer.

Although almost all quality firewalls simply drop a connection,
this is not a need for Apache nor would this be logical for
a webserver environment.

> > Those using Apache are completely defenseless against
> > this WebDav exploit.
> That language is highly inflamatory.

My statement is absolute truth and is well documented,
historically and by many different people. You are
aware of intense discussion of this problem by many
people for almost a year.

>  This is not an apache "exploit"

I did not state it is. Do not twist my words into something
which I did not write. This causes me to be hostile.

WedDav does exploit an Apache bug. It is actually
an Apache exploit, and Apache is utterly defenseless.
Perhaps you will feel more comfortable to label this,

"Apache URI Length Exploit."

This will remain an Apache exploit up until an ability
to hook and deal with this, is developed. For now,
Apache remains completely defenseless and vulnerable.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message