Re: Another flaw in Apache?

From: Alexander Yurchenko (grangeat_private)
Date: Sat Jun 22 2002 - 17:07:57 PDT

  • Next message: Ryan Sweat: "RE: Another flaw in Apache?"

    On Sat, Jun 22, 2002 at 09:11:18PM +0200, Jedi/Sector One wrote:
    >   While playing with the SetEnv directive with Apache, I noticed that httpd
    > processes are dying with a signal 11 if the data stored in an environment
    > variable was too long.
    
    Nice bug and easy to exploit. I've attached a piece of code which creates an
    .htaccess file. Requesting a directory containing this file causes all
    httpd daemons to die. Works on my OpenBSD 3.1-current.
    
    > -- 
    >  __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
    >  \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
    >   \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/
    
    -- 
       Alexander Yurchenko (aka grange)
    
    
    



    This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 18:13:57 PDT