You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/05 03:03:00 UTC
DO NOT REPLY [Bug 28193] New: -
Webdav Exploit - DOS Vulnerability Apache 1.3.x Series
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28193>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28193
Webdav Exploit - DOS Vulnerability Apache 1.3.x Series
Summary: Webdav Exploit - DOS Vulnerability Apache 1.3.x Series
Product: Apache httpd-1.3
Version: 1.3.27
Platform: All
OS/Version: All
Status: NEW
Severity: Critical
Priority: Other
Component: core
AssignedTo: bugs@httpd.apache.org
ReportedBy: purlgurl@purlgurl.net
Webdav exploit comes in as SEARCH request method with an "URI" in
excess of thirty-thousand bytes. This method is not recognized by
Apache 1.3.x series, thus cannot be "captured" for any usage. This
series of Apache only recognizes a 414 error; URI too long.
I have discovered through testing and newsgroup discussions, the
Webdav Exploit cannot be captured by httpd directives, htaccess,
mod_rewrite, mod_security nor custom access log directives such
as setting an environment variable to limit log entry length.
Otherwords, Apache 1.3.x series is completely vulnerable to
a Denial Of Service attack employing the Webdav Exploit. My
logs show this exploit hitting six times in one second and
does cause Apache to slow down during those hits. A person
could change the timing on the C program Webdav Exploit to
send hits at such a rate to easily effect a DOS attack on
Apache servers running the 1.3.x series.
There are no facilities included in Apache 1.3.x to deal
with this exploit; Apache processes and responds with a
414 error before any directives or modules can be employed.
With mild modification to the Webdav program, any Apache
server running the 1.3.x series could be easily taken down
with a Denial Of Service attack using the Webdav exploit.
Kira
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org