You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by br...@hyperreal.org on 1998/05/20 11:48:53 UTC

Re: mod_auth-any/1672: Authentication / .htaccess DoS attack

[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]


Synopsis: Authentication / .htaccess DoS attack

Comment-Added-By: brian
Comment-Added-When: Wed May 20 02:48:52 PDT 1998
Comment-Added:
A change to this has been committed to the 1.3b7-dev tree:

  *) When opening "configuration" files (like httpd.conf, htaccess
     and htpasswd), Apache will not allow them to be non-/dev/null
     device files. This closes a DoS hole. At the same time,
     we use ap_pfopen to open these files to handle timeouts.
     [Jim Jagielski, Martin Kraemer]

Could you pull down a snapshot of 1.3b7-dev and let us know
if this fixes your problem?  You can get snapshots at

http://dev.apache.org/from-cvs/

Thanks!  If this is good we'll possibly backport it to 1.2,
though we really want to focus on 1.3 as our main stable,
supported platform as soon as we can.