You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Toadie <to...@gmail.com> on 2009/06/30 06:10:42 UTC

protocol for reporting bug that 'may' be considered exploit

Hello,

I think we may have discovered an issue with mod_proxy that 'could' be
used as an exploit to render an Apache server useless.  I normally
report more benign bugs via the normal bug reporting interface.
However, this one bug is quite easy to create an exploit for so I am
looking for guidance on how to report this issue.  Should I report
this on the apache bug tool (which will make this info publicly
available) ?

What I have so far

1. a confirmed repro of the bug
2. a general area where we think the offending line in the code is
causing the problem
3. attempted to fix the bug and created a patch but to no avail (we
aren't familiar with the apr* modules and various ap* functions.)

In addition I have scanned through the bug DB and found several
instances of similar symptoms that we have observed around issues with
mod_proxy.  None of the bug a repro. I believe we could have found a
repro case that consistently causes a lockup in Apache.

Because of the sensitivity of this bug and its relative ease to craft
an exploit, let me know how to proceed.  We are willing to work with
one or more individuals on the apache team who are familiar with the
code to repro and test one or more patches.

If the normal procedure is to report the bug via the Apache bug db,
please let me know.

Thanks in advance.

PS: During our discovery, we also found another bug but it's more
benign and I will file it as a separate bug

Re: protocol for reporting bug that 'may' be considered exploit

Posted by Toadie <to...@gmail.com>.

Thank you!

Will file one shortly.



On Mon, Jun 29, 2009 at 9:24 PM, Eric Covener<co...@gmail.com> wrote:
> On Tue, Jun 30, 2009 at 12:10 AM, Toadie<to...@gmail.com> wrote:
>> Hello,
>>
>> I think we may have discovered an issue with mod_proxy that 'could' be
>> used as an exploit to render an Apache server useless.
>
> report via email to security@apache.org ( more detail at
> http://www.apache.org/security/ )
>
>
> --
> Eric Covener
> covener@gmail.com
>

Re: protocol for reporting bug that 'may' be considered exploit

Posted by Eric Covener <co...@gmail.com>.

On Tue, Jun 30, 2009 at 12:10 AM, Toadie<to...@gmail.com> wrote:
> Hello,
>
> I think we may have discovered an issue with mod_proxy that 'could' be
> used as an exploit to render an Apache server useless.

report via email to security@apache.org ( more detail at
http://www.apache.org/security/ )


-- 
Eric Covener
covener@gmail.com