On 21/11/2011 18:19, Joe Orton wrote: > On Fri, Nov 18, 2011 at 04:38:14PM -0600, William Rowe wrote: >> After several prods, it seems the security@ and hackathon participants >> can't be drawn out of their shells on to dev@. So I'll simply call for >> a majority vote on the following statement... > Thanks for the prod! > >> Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth; >> >> [ ] Represents a security defect >> [X] Is not a security defect > I agree for resource consumption attacks. I think there's still a good > case for treating bugs which allow escalation of privileges as security > issues (i.e. something which gets you from an .htaccess file to > arbitrary code execution in the httpd child). > *cough* perl/lua *cough*
But still, users need to be warned, but it's not a "security defect" IMHO. Issac
