You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/05 03:03:00 UTC

DO NOT REPLY [Bug 28193] New: - Webdav Exploit - DOS Vulnerability Apache 1.3.x Series

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28193>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28193

Webdav Exploit - DOS Vulnerability Apache 1.3.x Series

           Summary: Webdav Exploit - DOS Vulnerability Apache 1.3.x Series
           Product: Apache httpd-1.3
           Version: 1.3.27
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: purlgurl@purlgurl.net


Webdav exploit comes in as SEARCH request method with an "URI" in
excess of thirty-thousand bytes. This method is not recognized by
Apache 1.3.x series, thus cannot be "captured" for any usage. This
series of Apache only recognizes a 414 error; URI too long.

I have discovered through testing and newsgroup discussions, the
Webdav Exploit cannot be captured by httpd directives, htaccess,
mod_rewrite, mod_security nor custom access log directives such
as setting an environment variable to limit log entry length.

Otherwords, Apache 1.3.x series is completely vulnerable to
a Denial Of Service attack employing the Webdav Exploit. My
logs show this exploit hitting six times in one second and
does cause Apache to slow down during those hits. A person
could change the timing on the C program Webdav Exploit to
send hits at such a rate to easily effect a DOS attack on
Apache servers running the 1.3.x series.

There are no facilities included in Apache 1.3.x to deal
with this exploit; Apache processes and responds with a
414 error before any directives or modules can be employed.
With mild modification to the Webdav program, any Apache
server running the 1.3.x series could be easily taken down
with a Denial Of Service attack using the Webdav exploit.

Kira

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org