The following reply was made to PR mod_auth-any/1672; it has been noted by
GNATS.
From: Jan Wedekind <[EMAIL PROTECTED]>
To: Marc Slemko <[EMAIL PROTECTED]>
Cc: Jan Wedekind <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: mod_auth-any/1672: Authentication / .htaccess DoS attack
Date: Thu, 15 Jan 1998 10:12:51 +0100
Hello apache users,
> On 14 Jan 1998, Jan Wedekind wrote:
>
> > >Description:
> > (same report will be sent to bugtraq; this is the same splitted text)
> >
> > At the beginning of the week (after the release of apache 1.2.5)
> > we discoverd a DoS attack in apache and (eventually) other / all (?)
> > httpd's. Many thanks to Bernard "sendmail" Steiner <[EMAIL PROTECTED]>,
> > who got the important idea.
> >
> > For apache 1.2.x (and very sure all versions before), the
> > DoS may be exploited if both of the following conditions are true:
>
> Thanks for the report. We will look at possible ways of fixing this;
> unfortunately, stat()ing every file we try to open is very very expensive.
>
Argh ... of course.
Never thought about the fact, that fpopen may be used to open *every*
file.
> If you have not yet posted to bugtraq, it would be appreciated if you
> could avoid posting until we can look into this further so that we can
> simply reduce the number of "solutions" flying around.
I just tried to stop the confirmation from aleph by forwarding
him this mail; partly I already got some replies, but I'm not
sure wether they are from BUGTRAQ or apbugs mailing list.
I didn't got the BUGTRAQ mail till now.
> Your solution is reasonab, however there are performance implications that
> make it somewhat undesirable...
Of course. A more better solution would be to modify mod_auth
and other Moduls where user edited filenames may be opened to
use a modified fpopen call. (ndopen() for 'no device' for example)
Mit freundlichen Gruessen / best regards
Jan Wedekind
UUNET Deutschland GmbH private: [EMAIL PROTECTED]
Web Competence Center
[EMAIL PROTECTED] URL: http://www.uunet.de
