You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Joseph W <sn...@goodnet.com> on 1998/10/31 18:39:12 UTC

mod_include/3323: Dos style attack with the usage of SSI's include virtual directive

>Number:         3323
>Category:       mod_include
>Synopsis:       Dos style attack with the usage of SSI's include virtual directive
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Oct 31 09:40:00 PST 1998
>Last-Modified:
>Originator:     sniffen@goodnet.com
>Organization:
apache
>Release:        1.3.3 w/SSL 1.28
>Environment:
OpenBSD 2.3 i386, gcc 2.8.1
>Description:
It has come to my attention that when specifying a 
<!--#include virtual="a few /'s(one will do)"--> 
directive, you may be able to make apache cause a system to crash eventually. 
On my system (AMD K6 200 w/64mb of ram,3200rpm hdd) the load average raised a 
steady .2 points each second or so. 
Top reported this after starting the "attack":
PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
5467 nobody    95    0   13M 9580K run   -        2:00 121.24% httpd
Probably 20 seconds or so into it.
This is somewhat similar to the past dos attacks with 1.2.4 and earlier using
a large amount of /'s in the url request.
>How-To-Repeat:
Well, first you have to enable SSI's for the file you are going to use 
this include directive in:
---
srm.conf:
AddHandler server-parsed file.type (I put index.html)
---
Within the file.type, inside a document root, you would put
<!--#include virtual="/"-->
The attack comes just from trying to load the file over http.
Even after I stop trying to load the file, apache still consumes more and
more resources until I restart the daemon(sighup is enough).
Will not work if you have too many /'s inside the virtual="" directive.
>Fix:
Someone needs to work on the handle_include() function inside mod_include.c,
adding code to ignore single and consecutive /'s without leading text?
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]