The following reply was made to PR mod_auth-any/1672; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: Jan Wedekind <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack Date: Wed, 14 Jan 1998 11:52:27 -0700 (MST) On 14 Jan 1998, Jan Wedekind wrote: > >Description: > (same report will be sent to bugtraq; this is the same splitted text) > > At the beginning of the week (after the release of apache 1.2.5) > we discoverd a DoS attack in apache and (eventually) other / all (?) > httpd's. Many thanks to Bernard "sendmail" Steiner <[EMAIL PROTECTED]>, > who got the important idea. > > For apache 1.2.x (and very sure all versions before), the > DoS may be exploited if both of the following conditions are true: Thanks for the report. We will look at possible ways of fixing this; unfortunately, stat()ing every file we try to open is very very expensive. If you have not yet posted to bugtraq, it would be appreciated if you could avoid posting until we can look into this further so that we can simply reduce the number of "solutions" flying around. Your solution is reasonab, however there are performance implications that make it somewhat undesirable...
