Re: DoS attack: apache (& other) .htaccess Authentication

From: Dustin Sallings (dustinat_private)
Date: Thu Jan 15 1998 - 22:47:26 PST

Next message: der Mouse: "Re: pnserver exploit.."

Previous message: Martin Johnson: "Re: FW: Temporary fix for MSIE4.01 bug"
Maybe in reply to: janat_private: "DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Dean Gaudet: "Re: DoS attack: apache (& other) .htaccess Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > If you're now trying to open this directory (or any file within)
> > and enter any user / password combination, you'll get a
> > hanging (death running) client. This is, because it's reading
> > /dev/zero and searches for a colon (':') to separate
> > the user name from the password field (mod_auth.c, get_pw(), line 127).
> [...]
>
> > Because also other authentication methods may be exploitable
> > I would prefer to patch it in a way that it's no longer be
> > available to open /dev/zero (or any other device) for reading,
> > so I patched fpopen() in alloc.c:
>
> perhaps you should stat the file and make sure its a normal file?
> There may be other device files which cause problems by virtue
> of having lots of data, or by blocking for long periods of time.
> For example a blocking read on a dialup device that waits for
> carrier sense on a modem.  Is there any reason to allow device
> files to be read from the config?
>
> This may not stop all possible attacks.  Normal files might be
> used to indefinitely block the daemon.  For example some systems
> allow regular users to make NFS mounts.  In this case an NFS
> server can be brought up, mounted, then brought down.  The
> httpd reading an nfs mounted file would then block for a long
> period of time while NFS times out.  The same result can be
> achieved by performing a denial of service attack against an already
> existing NFS mount.
>
> Are there other ways to cause long blocking times when reading
> normal files?  Do any common unix systems have mandatory file locking?

        A size limit might not be a bad thing to do.  Even a normal file (as
someone here mentioned) can do nasty things to the webserver.  Consider:

bleu:~/public_html 159> ls -l .htpasswd
-rw-------    1 dustin   staff    1000000000000 Jan 15 22:44 .htpasswd

        That's a perfectly real file, but if my webserver tried to find a
password in there...

--
Taos Mountain TS         My girlfriend asked me which one I like better.
pub  1024/3CAE01D5 1994/11/03 Dustin Sallings <dustinat_private>
|    Key fingerprint =  87 02 57 08 02 D0 DA D6  C8 0F 3E 65 51 98 D8 BE
L_______________________ I hope the answer won't upset her. ____________

Next message: der Mouse: "Re: pnserver exploit.."
Previous message: Martin Johnson: "Re: FW: Temporary fix for MSIE4.01 bug"
Maybe in reply to: janat_private: "DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Dean Gaudet: "Re: DoS attack: apache (& other) .htaccess Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:38 PDT