severity 663723 wishlist
tags 663723 -security
retitle 663723 apache2 does not prevent DoS through .htaccess files
thanks

On Tuesday 13 March 2012, Patrick Matthäi wrote:
> I noticed on a customers server, that apache periodical crashes the
> whole system by using the whole available memory until it swaps
> away.


> 
> RewriteEngine on
> RewriteBase /
> RewriteRule ^(.*)\xC3\x84(.*)$ $1Ä$2 [N,E=utf8_fixed:1]

The problem is not the special character but that this regular 
expression has quadratic complexity in the string length. Using (.*?) 
instead of (.*) everywhere will likely fix it.

This is a general problem when using regular expressions. And being 
allowed to use .htaccess means having access to regular expressions.

> Now the server runs out of memory very fast!
> 
> This is especialy a big problem for shared hosters with mod_rewrite
> enabled (most vhosts require them today) where users could put
> their own .htaccess to the documentroot

While I don't deny that this is a problem for some use cases, it is a 
fact that the .htaccess mechanism has not been designed with limiting 
local DoS attacks in mind. There are many ways to cause a DoS with 
crafted .htaccess files. Some of these cannot be fixed without 
breaking compatibility, i.e. not within 2.2.x or 2.4.x. Therefore, 
picking out a few of these issues and fixing them in Debian does not 
make any sense. If you use prefork, you can work around this by adding 
suitable ulimit calls in /etc/apache2/envvars.

Upstream does not consider these issues security relevant, either:

http://mail-archives.apache.org/mod_mbox/httpd-
dev/201111.mbox/%3c4ec6de56.9020...@rowe-clan.net%3E



--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201203132015.17642...@sfritsch.de

Reply via email to