You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by br...@hyperreal.org on 1998/05/20 11:48:53 UTC
Re: mod_auth-any/1672: Authentication / .htaccess DoS attack
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
Synopsis: Authentication / .htaccess DoS attack
Comment-Added-By: brian
Comment-Added-When: Wed May 20 02:48:52 PDT 1998
Comment-Added:
A change to this has been committed to the 1.3b7-dev tree:
*) When opening "configuration" files (like httpd.conf, htaccess
and htpasswd), Apache will not allow them to be non-/dev/null
device files. This closes a DoS hole. At the same time,
we use ap_pfopen to open these files to handle timeouts.
[Jim Jagielski, Martin Kraemer]
Could you pull down a snapshot of 1.3b7-dev and let us know
if this fixes your problem? You can get snapshots at
http://dev.apache.org/from-cvs/
Thanks! If this is good we'll possibly backport it to 1.2,
though we really want to focus on 1.3 as our main stable,
supported platform as soon as we can.