https://issues.apache.org/bugzilla/show_bug.cgi?id=56751
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW --- Comment #2 from [email protected] --- As I understand from the module's behavior, "timeout" refers to "time to first byte" of the header/body and "maxtimeout" refers to "time to last byte" of the header/body. "type=timeout-maxtimeout,MinRate=data_rate" What I believe that is missing is the "maxtimeout" for the body: RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500 Instead of: RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 The missing "maxtimeout" for the body makes the described attack effective. I believe 40 seconds is a reasonable time for "maxtimeout". I think editing the example might be the first step, so future mod_reqtimeout users won't be vulnerable. Is there a common channel to inform all the distributions that ship with Apache httpd, so they could consider changing their default configuration? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
