64 bit libapreq2 segfaults

[David Winter]

Hi all,

I'll summarize my problem:
my module runs fine on 32 bit (i386) machines but segfaults constantly  
on 64 bit (x86_64) machines.
It seems that the address returned by apreq_handle_apache2 is out of  
bounds, accessing it (e.g. with other libapreq2 functions) leads to a  
segfault. Funny thing is: I got a valid address from  
apreq_handle_apache2 when debugging it with gdb.


The machines I tested are Xen DomUs running CentOS 5.3. I tested  
libapreq2-2.12 as well as svn-trunk (r783546).


This is the output of my gdb session:

(gdb) run -X -d /etc/httpd
...
Program received signal SIGSEGV, Segmentation fault.
apreq_param (req=0xad4fff80, key=0x2ad7a140e981 s)
at ../include/apreq_module.h:196
196 return req-module-args_get(req, name);

(gdb) bt full
#0  apreq_param (req=0xad4fff80, key=0x2ad7a140e981 s)
at ../include/apreq_module.h:196
param = value optimized out
#1  0x2ad7a140e440 in cod_handler (r=0x2ad7ad4fb048) at  
mod_zeec_cod.c:179

req = (apreq_handle_t *) 0xad4fff80
s = value optimized out
#2  0x2ad7960c89ba in ap_run_handler () from /usr/sbin/httpd
No symbol table info available.
#3  0x2ad7960cbe32 in ap_invoke_handler () from /usr/sbin/httpd
No symbol table info available.
#4  0x2ad7960d6888 in ap_process_request () from /usr/sbin/httpd
No symbol table info available.
#5  0x2ad7960d3ac0 in ?? () from /usr/sbin/httpd
No symbol table info available.
...
(gdb) p *req
Cannot access memory at address 0xad4fff80
(gdb) return
Make apreq_param return now? (y or n) y
#0  0x2ad7a140e440 in cod_handler (
r=0x2ad7ad4fb048) at mod_zeec_cod.c:179
179 if (apreq_param(req, s))
(gdb) p *apreq_handle_apache2(r)
$3 = {module = 0x2ad7a11fe8a0, pool = 0x2ad7ad4fafd8,
  bucket_alloc = 0x2ad7ad4f8fc8}


Many thanks in advance and let me know if you need more information.

David

Shared memory hash table.

[Jaysingh Samuel]

Hi all, 
Please let me know ur comments / suggestion on the following. 
1. Is there any apache apr to have shared memory hash Table. I want a hash 
table with is shared and should be able to access and change in runtime.
We can do work around with the apr_shm and apr_rmm to achieve this. but just 
wanted to know is there any function already available which suits this 
requirement. 
Pls guide me with your comments. 
thanks in advance, Jaysingh Samuel. 
_
Live Search extreme As India feels the heat of poll season, get all the info 
you need on the MSN News Aggregator
http://news.in.msn.com/National/indiaelections2009/aggregator/default.aspx

Bug report for Apache httpd-1.3 [2009/06/28]

[bugzilla]

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|10744|New|Nor|2002-07-12|suexec might fail to open log file|
|10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i|
|10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc|
|14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite|
|16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore   |
|16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l|
|17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy |
|19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build|
|21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged  |
|21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files|
|22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap|
|25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co|
|26126|New|Nor|2004-01-14|mod_include hangs with request body   |
|26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner|
|26790|New|Maj|2004-02-09|error deleting old cache file |
|29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,|
|29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy |
|29538|Ass|Enh|2004-06-12|No facility used in ErrorLog to syslog|
|30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe   |
|30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i|
|30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections |
|31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle|
|32078|New|Enh|2004-11-05|clean up some compiler warnings   |
|32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE|
|32974|Inf|Maj|2005-01-06|Client IP not set |
|33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server|
|33495|Inf|Cri|2005-02-10|Apache crashes with WSADuplicateSocket failed for|
|33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue|
|33875|New|Enh|2005-03-07|Apache processes consuming CPU|
|34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document|
|34114|New|Nor|2005-03-21|Apache could interleave log entries when writing t|
|34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout   |
|34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging  vhost|
|34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql|
|35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI|
|35439|New|Nor|2005-06-21|Problem with remove /../ in util.c and mod_rewri|
|35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie |
|3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge|
|36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file|
|37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt|
|37252|New|Reg|2005-10-26|gen_test_char reject NLS string   |
|38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (|
|39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed   |
|39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn|
|39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre|
|40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?|
|41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove|
|42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code = 600 |
|43626|New|Maj|2007-10-15|r-path_info returning invalid value  |
|44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only|
|44926|New|Nor|2008-05-02|1.3.41 binary downloads are faulty MSIs   |

httpd initd daemon

[Yahav]

i would like to set the httpd instance to run as standard linux daemon. the
daemon should be controlled by the init daemon. the problem is that the
apachectl that runs the httpd is starting the main server process then
forking N StarServers and return 0 or something else. I would like it to be
hang while it run i.e. right before exiting addin select command that will
listen on some signal, like SIGTERM.
is there any way to add it? if so can somebody recomands what is the best
place to make the change? is there allready such feature?  
-- 
View this message in context: 
http://www.nabble.com/httpd-initd-daemon-tp24251132p24251132.html
Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.

Re: httpd initd daemon

[Graham Dumpleton]

2009/6/29 Yahav bi...@lucent.com:

 i would like to set the httpd instance to run as standard linux daemon. the
 daemon should be controlled by the init daemon. the problem is that the
 apachectl that runs the httpd is starting the main server process then
 forking N StarServers and return 0 or something else. I would like it to be
 hang while it run i.e. right before exiting addin select command that will
 listen on some signal, like SIGTERM.
 is there any way to add it? if so can somebody recomands what is the best
 place to make the change? is there allready such feature?

Have you tried:

  httpd -DFOREGROUND

instead of apachectl.

Read the httpd manual page and Google search on that for more information.

Graham

Re: httpd initd daemon

[Yahav]

many thanks

Graham Dumpleton-2 wrote:
 
 2009/6/29 Yahav bi...@lucent.com:

 i would like to set the httpd instance to run as standard linux daemon.
 the
 daemon should be controlled by the init daemon. the problem is that the
 apachectl that runs the httpd is starting the main server process then
 forking N StarServers and return 0 or something else. I would like it to
 be
 hang while it run i.e. right before exiting addin select command that
 will
 listen on some signal, like SIGTERM.
 is there any way to add it? if so can somebody recomands what is the best
 place to make the change? is there allready such feature?
 
 Have you tried:
 
   httpd -DFOREGROUND
 
 instead of apachectl.
 
 Read the httpd manual page and Google search on that for more information.
 
 Graham
 
 

-- 
View this message in context: 
http://www.nabble.com/httpd-initd-daemon-tp24251132p24253128.html
Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.

Re: httpd initd daemon

[Yahav]

many thanks it is working.

Graham Dumpleton-2 wrote:
 
 2009/6/29 Yahav bi...@lucent.com:

 i would like to set the httpd instance to run as standard linux daemon.
 the
 daemon should be controlled by the init daemon. the problem is that the
 apachectl that runs the httpd is starting the main server process then
 forking N StarServers and return 0 or something else. I would like it to
 be
 hang while it run i.e. right before exiting addin select command that
 will
 listen on some signal, like SIGTERM.
 is there any way to add it? if so can somebody recomands what is the best
 place to make the change? is there allready such feature?
 
 Have you tried:
 
   httpd -DFOREGROUND
 
 instead of apachectl.
 
 Read the httpd manual page and Google search on that for more information.
 
 Graham
 
 

-- 
View this message in context: 
http://www.nabble.com/httpd-initd-daemon-tp24251132p24253136.html
Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.

Creating a new thread inside a module

[h iroshan]

Hi All,

I want to open a port to communicate my Apache hhtpd (2.2) with small
software run on a separate machine .Without affecting the httpd how can i
create a new thread to listen to that software.

Also I want to start this thread when the mod_proxy_balancer is initialize
its balancer members(balancer_init).

please helpp me,

thank you,

Iroshan
Under graduate-UCSC
Ari Lanka

Re: Creating a new thread inside a module

[Mladen Turk]

h iroshan wrote:

Hi All,

I want to open a port to communicate my Apache hhtpd (2.2) with small 
software run on a separate machine .Without affecting the httpd how can 
i create a new thread to listen to that software.


Also I want to start this thread when the mod_proxy_balancer is 
initialize its balancer members(balancer_init).




Take a look at trunk's mod_watchdog.
It should compile with 2.2 without a problem.
However it requires to be statically compiled so it
can survive the child death.

If that's not feasible, hack it ;)


Regards
--
^(TM)

Re: Using slotmem in /mod_lbmethod_heartbeat/mod_heartmonitor

[Jim Jagielski]

On Jun 24, 2009, at 8:54 AM, jean-frederic clere wrote:


Paul Querna wrote:
On Tue, Jun 23, 2009 at 5:35 AM, jean-frederic clerejfcl...@gmail.com 
 wrote:

Hi,

I plan to use slotmem (additionally to the actual file based  
logic) in the

heartbeat logic.
HeartbeatStorage mem:logs/hb.dat (slotmem and key/save uses logs/ 
hb.dat).

HeartbeatStorage logs/hb.dat (existing logic).

Of course the hearthbeat handler will use slotmem and issue en  
error at the
start if that is not the storage configured. (actualy the the  
hearthbeat

handler doesn't work).

The slotmem element will use the proxy_worker_stat and heartbeat  
actual

format...(Well a string big enough).

Comments?

why do we need to store the same information twice?


Not twice, I will just keep the old file logic and add a new one,  
the proxy_worker_stat would come from the slotmem not from the  
scoreboard.




+1

Re: mod_noloris: mitigating against slowloris-style attack

[Jim Jagielski]

On Jun 25, 2009, at 11:12 AM, William A. Rowe, Jr. wrote:


Nick Kew wrote:


Is this worth hacking up, or more trouble than it saves?


It already lives in /repos/asf/httpd/mod_ftp/trunk/modules/ftp/ ...
see the http://httpd.apache.org/mod_ftp/mod/mod_ftp.html#ftplimitloginip
docs.  It would be reasonably simple to rip this out and use a single
shared implementation for both protocols.

An extended scoreboard based solution would be much more efficient,
I suspect.



Actually, I have a hacked version that uses mod_slotmem :)

Re: Mitigating the Slowloris DoS attack

[Jim Jagielski]

On Jun 24, 2009, at 5:18 AM, Joe Orton wrote:


Regardless, the only thing I've ever wanted to see changed in the  
server

which would somewhat mitigate this type of attack is to have coarser
granularity on timeouts, e.g. per-request-read, rather than simply
per-IO-operation.


++1. Timeout would set universal defaults and we could then
have something like Timeout ReqRead 2 to provide further refinement.

Re: A modest proposal, was Re: Mitigating the Slowloris DoS attack

[Jim Jagielski]

On Jun 23, 2009, at 8:39 PM, Akins, Brian wrote:


On 6/23/09 12:48 AM, Paul Querna p...@querna.org wrote:


Mitagation is the wrong approach.

We all know our architecture is wrong.


Another heretical suggestion:

Lighttpd and nginx are both release under BSD-like licenses.

Hear me out.

I've actually been thinking how possible would it be to transform  
one of

them into httpd 3.0?


Most prob not that hard since Lighttpd is a fork of Apache 1.3.

Re: Creating a new thread inside a module

[h iroshan]

Hi Mladen Turk,

Thank you .In Apache 2.2.x trunk there is no such a module mod_watchdog. Is
this is from later version?. Can I compile this in DSO mode  with
mod_proxy_balancer.?

Help me

Iroshan.





 Take a look at trunk's mod_watchdog.
 It should compile with 2.2 without a problem.
 However it requires to be statically compiled so it
 can survive the child death.

 If that's not feasible, hack it ;)


 Regards
 --
 ^(TM)

Re: Creating a new thread inside a module

[h iroshan]

Hi All
Actually I need *to* modify *Apache* and *run* one custom background *thread
*. In addition, my custom modules have *to* be able *to* access the shared
memory and it should be done through the background *thread*. Did anybody do
this before? Is *there* an example I can use  as a starting point?

please help me.

Best Regards,
Iroshan
Under graduate
UCSC
Sri Lanka.

Re: Creating a new thread inside a module

[Mladen Turk]

h iroshan wrote:

Hi All
Actually I need *to* modify *Apache* and *run* one custom background 
*thread*. In addition, my custom modules have *to* be able *to* access 
the shared memory and it should be done through the background *thread*. 
Did anybody do this before? Is *there* an example I can use  as a 
starting point?


please help me.



I already told you to look at the trunk (mod_watchdog)
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/core/

It is used to manage the hartbeat module at regular
intervals (you might look at this as well) and it
listens and send data via socket using shared memory extensively
and can manage mod_proxy (well should ;)

Regards
--
^(TM)

Re: Creating a new thread inside a module

[William A. Rowe, Jr.]

Mladen Turk wrote:
 
 Take a look at trunk's mod_watchdog.
 It should compile with 2.2 without a problem.
 However it requires to be statically compiled so it
 can survive the child death.

*That's* the reason for static?!?   See mod_aspdotnet and several
others for how to pin a particular .so module for the lifetime of
the process, instead of per-restart.

No modules in trunk should require static compilation, period.

Re: Creating a new thread inside a module

[h iroshan]

Hi Mladen Turk,

Thank you  very much. I roughly gone throug the mod_watchdog. I create my
background thread inside  the balancer_init method at mod_proxy_balancer
module. But after finished the execution of balancer_init method my thread
also terminate automatically. Do you or  any body have idea to avoid this. I
need to run my background thread until the server stop by user.

Best Regards,

Iroshan.

protocol for reporting bug that 'may' be considered exploit

[Toadie]

Hello,

I think we may have discovered an issue with mod_proxy that 'could' be
used as an exploit to render an Apache server useless.  I normally
report more benign bugs via the normal bug reporting interface.
However, this one bug is quite easy to create an exploit for so I am
looking for guidance on how to report this issue.  Should I report
this on the apache bug tool (which will make this info publicly
available) ?

What I have so far

1. a confirmed repro of the bug
2. a general area where we think the offending line in the code is
causing the problem
3. attempted to fix the bug and created a patch but to no avail (we
aren't familiar with the apr* modules and various ap* functions.)

In addition I have scanned through the bug DB and found several
instances of similar symptoms that we have observed around issues with
mod_proxy.  None of the bug a repro. I believe we could have found a
repro case that consistently causes a lockup in Apache.

Because of the sensitivity of this bug and its relative ease to craft
an exploit, let me know how to proceed.  We are willing to work with
one or more individuals on the apache team who are familiar with the
code to repro and test one or more patches.

If the normal procedure is to report the bug via the Apache bug db,
please let me know.

Thanks in advance.

PS: During our discovery, we also found another bug but it's more
benign and I will file it as a separate bug

Re: protocol for reporting bug that 'may' be considered exploit

[Eric Covener]

On Tue, Jun 30, 2009 at 12:10 AM, Toadietoadie...@gmail.com wrote:
 Hello,

 I think we may have discovered an issue with mod_proxy that 'could' be
 used as an exploit to render an Apache server useless.

report via email to secur...@apache.org ( more detail at
http://www.apache.org/security/ )


-- 
Eric Covener
cove...@gmail.com

Re: Creating a new thread inside a module

[Mladen Turk]

William A. Rowe, Jr. wrote:

However it requires to be statically compiled so it
can survive the child death.


*That's* the reason for static?!?   See mod_aspdotnet and several
others for how to pin a particular .so module for the lifetime of
the process, instead of per-restart.



Why can't we make some simpler API for such modules instead
hacking the current one when it is obvious that there are
modules that cannot survive the graceful restart?


No modules in trunk should require static compilation, period.



There is a difference between should and must, but seems
to me there's no decent API for that.

Regards
--
^(TM)

Re: protocol for reporting bug that 'may' be considered exploit

[Toadie]

Thank you!

Will file one shortly.



On Mon, Jun 29, 2009 at 9:24 PM, Eric Covenercove...@gmail.com wrote:
 On Tue, Jun 30, 2009 at 12:10 AM, Toadietoadie...@gmail.com wrote:
 Hello,

 I think we may have discovered an issue with mod_proxy that 'could' be
 used as an exploit to render an Apache server useless.

 report via email to secur...@apache.org ( more detail at
 http://www.apache.org/security/ )


 --
 Eric Covener
 cove...@gmail.com