You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1998/01/14 23:55:27 UTC
Re: mod_auth-any/1672: Authentication / .htaccess DoS attack
(fwd)
I'm not yet ready to throw in the towel and say "we can't protect against
internal users causing the machine to slow to a crawl and die" - I think we
can take each case, especially the really cute ones like this, and do some
sort of workaround.
I don't understand why there's the sentiment that we need to do a stat()
everywhere - wouldn't hardcoding the equivalent of
<Directory /dev>
deny from all
</directory>
be sufficient? Or are we trying to do this outside of mod_access?
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
specialization is for insects brian@organic.com
Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Posted by Marc Slemko <ma...@worldgate.com>.
On Wed, 14 Jan 1998, Brian Behlendorf wrote:
> I'm not yet ready to throw in the towel and say "we can't protect against
> internal users causing the machine to slow to a crawl and die" - I think we
> can take each case, especially the really cute ones like this, and do some
> sort of workaround.
Sure. Let me know when you stop enumerating all the cases and I'll
wish you luck doing anything about it because most group members
will be dead by then. <g>
While I support putting reasonable fixes in place that can eliminate
the most easily exploited problems, going case by case simply
isn't practical. Buffer overflows can be systematically checked in
most cases. "resource usage" isn't that easy.
Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Posted by Marc Slemko <ma...@worldgate.com>.
On Wed, 14 Jan 1998, Brian Behlendorf wrote:
> I'm not yet ready to throw in the towel and say "we can't protect against
> internal users causing the machine to slow to a crawl and die" - I think we
> can take each case, especially the really cute ones like this, and do some
> sort of workaround.
>
> I don't understand why there's the sentiment that we need to do a stat()
> everywhere - wouldn't hardcoding the equivalent of
/dev isn't the only problem though.
named pipe.
symbolic link.
etc, etc.
Also, it is not the files being requested we are limiting, but other files
(eg. htaccess) files that need to be restricted. There is no method of
doing so right now.
Re: mod_auth-any/1672: Authentication / .htaccess DoS attack (fwd)
Posted by Dirk-Willem van Gulik <di...@jrc.it>.
On Wed, 14 Jan 1998, Brian Behlendorf wrote:
> I'm not yet ready to throw in the towel and say "we can't protect against
> internal users causing the machine to slow to a crawl and die" - I think we
> can take each case, especially the really cute ones like this, and do some
> sort of workaround.
>
> I don't understand why there's the sentiment that we need to do a stat()
> everywhere - wouldn't hardcoding the equivalent of
>
> <Directory /dev>
> deny from all
> </directory>
>
> be sufficient? Or are we trying to do this outside of mod_access?
Actually, though we are discussing a differnt type of file opening here,
this might be cheap solution; i.e. have a wrapper around _every_ open
call which adhers to
# KeepOut: (Regex-es of) Directories and/or files; which are absolutely
# out of bound for any open().
KeepOut ^/dev ^/etc
(ignoring the chicken egg trouble with the config file; though that
gets read twice so you could catch it second time round :-)
DW.