You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/05/08 04:53:56 UTC

DO NOT REPLY [Bug 19753] New: - Local exploit denial of service using DirectoryIndex in .htaccess

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19753>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19753

Local exploit denial of service using DirectoryIndex in .htaccess

           Summary: Local exploit denial of service using DirectoryIndex in
                    .htaccess
           Product: Apache httpd-2.0
           Version: 2.0.45
          Platform: PC
               URL: n/a
        OS/Version: FreeBSD
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_dir
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ryan@ryano.net


In a directory configured with AllowOverride All in httpd.conf, this one line in
a .htaccess will cause (what i perceive to be) an infinite loop in a single
httpd process (using 100% cpu):

DirectoryIndex .

Subsequent reloads will cause more processes to start using as much cpu as they
can muster.  My load starts going up and up and i imagine everything will start
crashing eventually (if i don't take care of it by killing apache).

I'm running FreeBSD 4.8-STABLE with apache-2.0.45 installed from ports.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org