DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24951>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24951 bad authenitcation data results in memory hog apache children effectively a built in DoS Summary: bad authenitcation data results in memory hog apache children effectively a built in DoS Product: Apache httpd-1.3 Version: 1.3.29 Platform: Sun OS/Version: Other Status: NEW Severity: Critical Priority: Other Component: Other mods AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] I'm compiling with OpenSSL 0.9.7c Mod_SSL or Apache-ssl (latest built in) PHP (DSO) and mod_auth_pam (DSO) using pam_smb_auth. Problem 1: When the SSL enabled site initially asks for authentication, if none is given or a username with no password, and OK is clicked, the apache children spin out of control consuming 10Mb of memory ever second / every time the browser tries to authenticate. This will happen until the browser is killed off, the child is kill -9, or the machine runs out of swap space. This could be due to changes mod_ssl or apache-ssl make to the httpd core, but even so, this is something I would NOT regard lightly as a bug, its more like a DoS built into the server. It doesn't take long for this bug to eat all resources on a machine if the browser / cracker continues to try to authenticate in this way. Scary. If I haven't given enough info please let me know exactly what I need to send. I'm available at 757 221 0550 Clay Campbell --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
