On Wed, Sep 18, 2002 at 07:31:27PM -0700, Greg Stein wrote: >... > Oh... wait a sec. I was getting too complicated. Simply sending an OPTIONS > request *with a body* to a location using mod_dav_fs as its provider will > blow up at that point. Well, mod_dav_FOO that doesn't provide versioning > support. (and assuming the body looks like a DeltaV <options> body) > > Patch coming up in one second...
Okay... I've checked in the change. I'd suggest tossing 2.0.41 and roll this fix into a 2.0.42. (I'm not suggesting using HEAD for 2.0.42) Something like: $ cvs tag -r APACHE_2_0_41 APACHE_2_0_42 # copy the tag $ cvs tag -F APACHE_2_0_42 modules/dav/main/mod_dav.c Then roll and release 2.0.42. The reason for all the trouble is simply that if you know an area on the server is DAV-enabled (which will typically be mod_dav_fs rather than _svn), then you can DoS the server by sending it one of these OPTIONS requests. The problem exists in all versions of Apache 2.0 with mod_dav(_fs) enabled, and where an attacker can find a DAV-enabled area. (btw, the problem does not occur in mod_dav 1.0.x for Apache 1.3 servers) Cheers, -g -- Greg Stein, http://www.lyra.org/
