Am 13.03.2012 20:15, schrieb Stefan Fritsch: >> RewriteEngine on >> RewriteBase / >> RewriteRule ^(.*)\xC3\x84(.*)$ $1Ä$2 [N,E=utf8_fixed:1] > > The problem is not the special character but that this regular > expression has quadratic complexity in the string length. Using (.*?) > instead of (.*) everywhere will likely fix it. > > This is a general problem when using regular expressions. And being > allowed to use .htaccess means having access to regular expressions. > While I don't deny that this is a problem for some use cases, it is a > fact that the .htaccess mechanism has not been designed with limiting > local DoS attacks in mind. There are many ways to cause a DoS with > crafted .htaccess files. Some of these cannot be fixed without > breaking compatibility, i.e. not within 2.2.x or 2.4.x. Therefore, > picking out a few of these issues and fixing them in Debian does not > make any sense. If you use prefork, you can work around this by adding > suitable ulimit calls in /etc/apache2/envvars. > > Upstream does not consider these issues security relevant, either: > > http://mail-archives.apache.org/mod_mbox/httpd- > dev/201111.mbox/%3c4ec6de56.9020...@rowe-clan.net%3E
Thanks for your explanation, I thought the problem is more about the
special char handling (couldn't test so much, yet).
If the regular expression is wrong, okay, but what is about e.g. the
RedirectLimit? This also could cause server problems with crafted
configurations, but there is internal apache limit available.
In this case an shared hosting server (~ 300 customers) was affected and
crashed several times about months and we had to introduce workarounds
("killer scripts") to prevent the server to crash at all; debugging was
quite hard aka impossible.
Here upstream should introduce something which prevents apache to crash
itself and the whole server.
Since this is IMHO opinion a DoS - against the whole server, not only
the service, which requires "local user access" (customer uploading his
.htaccess) - it is security important, severity important okay, but not
wishlist..
Regarding the mail from apache-dev:
How is "resource abuse" defined? IMHO if the customer uploads a htaccess
and after that e.g the cpu load + response times are higher, okay...
pure configuration issue
But adding a few lines to crash the whole server? This is not a resource
abuse.
This is something like:
- a file traversal issue where a victim could read out /etc/passwd is no
security issue
- but maybe reading out /etc/shadow
From my Debian POV it is an security issue, also if upstream don't want it..
--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
E-Mail: pmatth...@debian.org
patr...@linux-dev.org
*/
signature.asc
Description: OpenPGP digital signature
