Return-Path: 
 <apache-bugdb-owner-apache-bugdb-archive=hyperreal.org@apache.org>
Delivered-To: apache-bugdb-archive@hyperreal.org
Received: (qmail 2006 invoked by uid 6000); 15 Jan 1998 09:20:06 -0000
Received: (qmail 1968 invoked by uid 2001); 15 Jan 1998 09:20:00 -0000
Date: 15 Jan 1998 09:20:00 -0000
Message-ID: <19980115092000.1967.qmail@hyperreal.org>
To: apache-bugdb@apache.org
Cc: apache-bugdb@apache.org,
From: Jan Wedekind <Jan.Wedekind@de.uu.net>
Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack 
Reply-To: Jan Wedekind <Jan.Wedekind@de.uu.net>
Sender: apache-bugdb-owner@apache.org
Precedence: bulk

The following reply was made to PR mod_auth-any/1672; it has been noted by GNATS.

From: Jan Wedekind <Jan.Wedekind@de.uu.net>
To: Marc Slemko <marcs@znep.com>
Cc: Jan Wedekind <jan@wedekind.de>, apbugs@hyperreal.org
Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack 
Date: Thu, 15 Jan 1998 10:12:51 +0100

 Hello apache users,
 
 > On 14 Jan 1998, Jan Wedekind wrote:
 > 
 > > >Description:
 > > (same report will be sent to bugtraq; this is the same splitted text)
 > > 
 > > At the beginning of the week (after the release of apache 1.2.5)
 > > we discoverd a DoS attack in apache and (eventually) other / all (?)
 > > httpd's. Many thanks to Bernard "sendmail" Steiner <bs@de.uu.net>,
 > > who got the important idea.
 > > 
 > > For apache 1.2.x (and very sure all versions before), the
 > > DoS may be exploited if both of the following conditions are true:
 > 
 > Thanks for the report.  We will look at possible ways of fixing this;
 > unfortunately, stat()ing every file we try to open is very very expensive.  
 > 
 Argh ... of course.
 Never thought about the fact, that fpopen may be used to open *every*
 file.
 
 > If you have not yet posted to bugtraq, it would be appreciated if you
 > could avoid posting until we can look into this further so that we can
 > simply reduce the number of "solutions" flying around.
 
 I just tried to stop the confirmation from aleph by forwarding 
 him this mail; partly I already got some replies, but I'm not 
 sure wether they are from BUGTRAQ or apbugs mailing list.
 I didn't got the BUGTRAQ mail till now.
 
 > Your solution is reasonab, however there are performance implications that
 > make it somewhat undesirable...
 
 Of course. A more better solution would be to modify mod_auth 
 and other Moduls where user edited filenames may be opened to 
 use a modified fpopen call. (ndopen() for 'no device' for example)
 
 
 Mit freundlichen Gruessen / best regards
 
 	Jan Wedekind
 
 UUNET Deutschland GmbH            private: jan@wedekind.de
 Web Competence Center
 Jan.Wedekind@de.uu.net            URL: http://www.uunet.de