Dag-Erling Coidan Smørgrav wrote: > I know that there are many trivial ways of overloading a web server > (e.g. opening tons of connection to eat up file descriptors and > process slots), but this one seemed a little extreme, to say the > least. This is O(n^2) and therefore a Bad Thing(tm), that I will agree with. > Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not > on 1.3.1. However, there is no mention of this bug in the change log > for 1.3.1, so I'll assume it's vulnerable. > > BTW, how can the Apache team be stupid enough not to provide a way of > submitting problem reports by email? If they did, I'd've sent this to > them first and given them a week, but they don't and I'm too friggin' > lazy to use their web interface... securityat_private > Here's the 'sploit for the script kiddies. It should compile cleanly > and work on most Unices. These are the ones I've tested it on: And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better soon. This (untested) patch should prevent the worst effects. A similar patch should work for 1.2.x. Index: http_protocol.c =================================================================== RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.229 diff -u -r1.229 http_protocol.c --- http_protocol.c 1998/08/06 17:30:30 1.229 +++ http_protocol.c 1998/08/07 23:02:56 @@ -714,6 +714,7 @@ int len; char *value; char field[MAX_STRING_LEN]; + int nheaders=0; /* * Read header lines until we get the empty separator line, a read error, @@ -723,6 +724,11 @@ char *copy = ap_palloc(r->pool, len + 1); memcpy(copy, field, len + 1); + if(++nheaders == 100) { + r->status = HTTP_BAD_REQUEST; + return; + } + if (!(value = strchr(copy, ':'))) { /* Find the colon separator */ r->status = HTTP_BAD_REQUEST; /* or abort the bad request */ return; Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: benat_private | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/ WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:47 PDT