DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=28193>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28193 Webdav Exploit - DOS Vulnerability Apache 1.3.x Series [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From [EMAIL PROTECTED] 2004-04-05 03:11 ------- I'm not a security expert, but there are two issues I should point out: 1. If there is a security vulnerability here, it should be reported to [EMAIL PROTECTED], not the bug database. 2. I don't immediately see any vulnerability. As this page mentions: http://httpd.apache.org/security_report.html Apache cannot do anything about denial of service attacks where attackers simply use a big pipe to blow over the server with content. You can do this simply by sending thousands of GET requests. No need for any special webdav exploit. This would only be a real vulnerability if apache is using resources that are not in proportion with the size of the inputs. (The only potential issue I see here is that an attacker can fill up the logs. This is annoying, but hardly very dangerous. It could be dealt with using a piped-logging program that filters out these requests.) If, after reading that, you still believe you have found a security hole, please contact the appropriate security report address. Thanks for using Apache! --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
