We noticed that with mod_proxy_ajp, it's not possible to set an
indefinite timeout like was possible with mod_jk. So a long running JSP
page, for example:
% Thread.sleep(96); %
With mod_proxy_ajp timeout set to 300 will cause a 503 to be thrown back
to the client since mod_proxy_ajp's
Published - ergo moving discussion from security@ to [EMAIL PROTECTED]
Of course if in the course of this discussion, you uncover a new
edge case, feel free to move that thread back to [EMAIL PROTECTED]
to discuss your new discovery.
---BeginMessage---
PSNC Security Team has got the pleasure to
Hey Bill
just to clarify these are LOCAL DoS attacks? ie you need access to the
machine (or the ability to execute php) in order for this to be an issue?
William A. Rowe, Jr. wrote:
Published - ergo moving discussion from security@ to [EMAIL PROTECTED]
Of course if in the course of this
* Ian Holsman wrote:
Hey Bill
just to clarify these are LOCAL DoS attacks? ie you need access to the
machine (or the ability to execute php) in order for this to be an issue?
Well, if your PHP script (running on mod_php) allows code injection, it's
also remotely exploitable. Untrusted code
Ian Holsman wrote:
Hey Bill
just to clarify these are LOCAL DoS attacks? ie you need access to the
machine (or the ability to execute php) in order for this to be an issue?
AIUI all of these are loading modules of untrusted code (or a scripting
language which gives you the same effect.) Now
On 05/29/2007 11:28 PM, William A. Rowe, Jr. wrote:
Ian Holsman wrote:
Hey Bill
just to clarify these are LOCAL DoS attacks? ie you need access to the
machine (or the ability to execute php) in order for this to be an issue?
AIUI all of these are loading modules of untrusted code (or a
Ruediger Pluem wrote:
2 weeks? The text in the reporters mail (see end of mail) speaks about
May 16th, 2006. This would be about a year (and this is mentioned as
reason for publishing) When did they actually send this to security@
and to which ([EMAIL PROTECTED], [EMAIL PROTECTED])?
My bad,
I'm retracting my two proposed choices and going with Option #3 :) Does
anyone object to Jeff's weird proposal below? I think it's the best of
both worlds.
Speak up before I hack this in.
Bill
William A. Rowe, Jr. wrote:
Jeff Trawick wrote:
On 5/23/07, William A. Rowe, Jr. [EMAIL PROTECTED]
I'd like to see new tarballs rolled soonish, given the single significant
bug that was disclosed earlier today.
Obviously most mass-vhosters are capable of compiling their own binary,
so providing the seperate-pid-table patch (whoever gets around to writing
one) resolves any immediate urgency.