www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack
Date Wed, 14 Jan 1998 20:10:00 GMT
The following reply was made to PR mod_auth-any/1672; it has been noted by GNATS.

From: Marc Slemko <marcs@znep.com>
To: Jan Wedekind <jan@wedekind.de>
Cc: apbugs@hyperreal.org
Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack
Date: Wed, 14 Jan 1998 11:52:27 -0700 (MST)

 On 14 Jan 1998, Jan Wedekind wrote:
 
 > >Description:
 > (same report will be sent to bugtraq; this is the same splitted text)
 > 
 > At the beginning of the week (after the release of apache 1.2.5)
 > we discoverd a DoS attack in apache and (eventually) other / all (?)
 > httpd's. Many thanks to Bernard "sendmail" Steiner <bs@de.uu.net>,
 > who got the important idea.
 > 
 > For apache 1.2.x (and very sure all versions before), the
 > DoS may be exploited if both of the following conditions are true:
 
 Thanks for the report.  We will look at possible ways of fixing this;
 unfortunately, stat()ing every file we try to open is very very expensive.  
 
 If you have not yet posted to bugtraq, it would be appreciated if you
 could avoid posting until we can look into this further so that we can
 simply reduce the number of "solutions" flying around.
 
 Your solution is reasonab, however there are performance implications that
 make it somewhat undesirable...
 

Mime
View raw message