www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@hyperreal.org
Subject Re: mod_auth-any/1672: Authentication / .htaccess DoS attack
Date Wed, 20 May 1998 09:48:53 GMT
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

Synopsis: Authentication / .htaccess DoS attack

Comment-Added-By: brian
Comment-Added-When: Wed May 20 02:48:52 PDT 1998
A change to this has been committed to the 1.3b7-dev tree:

  *) When opening "configuration" files (like httpd.conf, htaccess
     and htpasswd), Apache will not allow them to be non-/dev/null
     device files. This closes a DoS hole. At the same time,
     we use ap_pfopen to open these files to handle timeouts.
     [Jim Jagielski, Martin Kraemer]

Could you pull down a snapshot of 1.3b7-dev and let us know
if this fixes your problem?  You can get snapshots at


Thanks!  If this is good we'll possibly backport it to 1.2,
though we really want to focus on 1.3 as our main stable,
supported platform as soon as we can.

View raw message