www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Wedekind <Jan.Wedek...@de.uu.net>
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack
Date Thu, 15 Jan 1998 09:20:00 GMT
The following reply was made to PR mod_auth-any/1672; it has been noted by GNATS.

From: Jan Wedekind <Jan.Wedekind@de.uu.net>
To: Marc Slemko <marcs@znep.com>
Cc: Jan Wedekind <jan@wedekind.de>, apbugs@hyperreal.org
Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack 
Date: Thu, 15 Jan 1998 10:12:51 +0100

 Hello apache users,
 
 > On 14 Jan 1998, Jan Wedekind wrote:
 > 
 > > >Description:
 > > (same report will be sent to bugtraq; this is the same splitted text)
 > > 
 > > At the beginning of the week (after the release of apache 1.2.5)
 > > we discoverd a DoS attack in apache and (eventually) other / all (?)
 > > httpd's. Many thanks to Bernard "sendmail" Steiner <bs@de.uu.net>,
 > > who got the important idea.
 > > 
 > > For apache 1.2.x (and very sure all versions before), the
 > > DoS may be exploited if both of the following conditions are true:
 > 
 > Thanks for the report.  We will look at possible ways of fixing this;
 > unfortunately, stat()ing every file we try to open is very very expensive.  
 > 
 Argh ... of course.
 Never thought about the fact, that fpopen may be used to open *every*
 file.
 
 > If you have not yet posted to bugtraq, it would be appreciated if you
 > could avoid posting until we can look into this further so that we can
 > simply reduce the number of "solutions" flying around.
 
 I just tried to stop the confirmation from aleph by forwarding 
 him this mail; partly I already got some replies, but I'm not 
 sure wether they are from BUGTRAQ or apbugs mailing list.
 I didn't got the BUGTRAQ mail till now.
 
 > Your solution is reasonab, however there are performance implications that
 > make it somewhat undesirable...
 
 Of course. A more better solution would be to modify mod_auth 
 and other Moduls where user edited filenames may be opened to 
 use a modified fpopen call. (ndopen() for 'no device' for example)
 
 
 Mit freundlichen Gruessen / best regards
 
 	Jan Wedekind
 
 UUNET Deutschland GmbH            private: jan@wedekind.de
 Web Competence Center
 Jan.Wedekind@de.uu.net            URL: http://www.uunet.de
 
 

Mime
View raw message