severity 663723 wishlist tags 663723 -security retitle 663723 apache2 does not prevent DoS through .htaccess files thanks
On Tuesday 13 March 2012, Patrick Matthäi wrote: > I noticed on a customers server, that apache periodical crashes the > whole system by using the whole available memory until it swaps > away. > > RewriteEngine on > RewriteBase / > RewriteRule ^(.*)\xC3\x84(.*)$ $1Ä$2 [N,E=utf8_fixed:1] The problem is not the special character but that this regular expression has quadratic complexity in the string length. Using (.*?) instead of (.*) everywhere will likely fix it. This is a general problem when using regular expressions. And being allowed to use .htaccess means having access to regular expressions. > Now the server runs out of memory very fast! > > This is especialy a big problem for shared hosters with mod_rewrite > enabled (most vhosts require them today) where users could put > their own .htaccess to the documentroot While I don't deny that this is a problem for some use cases, it is a fact that the .htaccess mechanism has not been designed with limiting local DoS attacks in mind. There are many ways to cause a DoS with crafted .htaccess files. Some of these cannot be fixed without breaking compatibility, i.e. not within 2.2.x or 2.4.x. Therefore, picking out a few of these issues and fixing them in Debian does not make any sense. If you use prefork, you can work around this by adding suitable ulimit calls in /etc/apache2/envvars. Upstream does not consider these issues security relevant, either: http://mail-archives.apache.org/mod_mbox/httpd- dev/201111.mbox/%3c4ec6de56.9020...@rowe-clan.net%3E -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
