You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Michael Felt <ma...@gmail.com> on 2011/12/26 22:24:26 UTC

Re: [Vote] .htaccess logic abuse

When I am involved in Security questions I try to discuss security breaches
in terms of confidentiality, integrity and availability.

If something is suppossed to be confidential, but a workaround makes it not
so - it is a security breach; idem for integrity - a workaround makes it
possible to modify data without any application knowledge hence affecting
application integrity; availability - if a "workaround" disrupts
application availability then it is a security breach.

On Fri, Nov 18, 2011 at 11:38 PM, William A. Rowe Jr.
<wr...@rowe-clan.net>wrote:

> After several prods, it seems the security@ and hackathon participants
> can't be drawn out of their shells on to dev@.  So I'll simply call for
> a majority vote on the following statement...
>
> Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth;
>
>  [ ]  Represents a security defect
>  [ ]  Is not a security defect
>
> This would obviously need to be clarified in the associated .htaccess
> documentation, be associated with an advisory and affect the conclusion
> of several recent defect reports, both embargoed and discussed plainly
> here on this list.
>