www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Castro <al...@aub.com>
Subject mod_rewrite/5431: a Self-Referring ReWriteRule uses all memory, crashes other Daemons.
Date Tue, 07 Dec 1999 00:41:36 GMT

>Number:         5431
>Category:       mod_rewrite
>Synopsis:       a Self-Referring ReWriteRule uses all memory, crashes other Daemons.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Dec  6 16:50:01 PST 1999
>Last-Modified:
>Originator:     alpha@aub.com
>Organization:
apache
>Release:        1.3.9, modular.
>Environment:
Linux 2.2.13 (Mandrake AND Redhat 6.1), altest Sucurty Fixes & etc.
Apache Values for Time To Live etc as per Distributed Ones.
gcc 2.6.2+
>Description:
Runaway process attempting to redirect a webpage to itself.
child Process apears to live beyond normal 10 mins, 
consumes all memory, starves and crahes other daemons like Sysklogd.

Trouble showed up under intense Serving due to HtDig Web Indexer on our Ethernet 
(http://www.htdig.org) which apears to open a single 
Child for all communications. 
Apache may crash up to several hours AFTER the process has ended...
may be a Bug in HtDIG too- But Apache should not be vulnerable like 
this I think...

This makes Apache vulnerable to malicious use of user-defineable commands.

>How-To-Repeat:
Do Like So:
make on a server http://www.foo.com/~someuser:
/home/someuser/public_html/.htaccess:
ReWriteEngine ON
ReWriteRule * http://www.foo.com/~someuser
(Points To Itself! Yea, I know...)

Trigger:
HtDig (http://www.htdig.org)
we run this over Ethernet. It HESITATES at the Page in Question, then moves on. 
Even after HtDig ends,
the single process running as 'nobody' that served the queries 
lives on up to 45 mins, shows up under
top M
as gradualy consumes all Memory (128MB ram!) and 90-100% CPU. (Pentium 233!)
This has in the past broght down sysklogd..
Server has ALL latest Patches, Updates etc..

Thanks!

More Explicit Info available if needed,
>Fix:
tighter control of max Mem. usage and Process Life .. Could not find Docs 
on that.

Thanks!
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message