You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Joseph W <sn...@goodnet.com> on 1998/10/31 18:39:12 UTC
mod_include/3323: Dos style attack with the usage of SSI's include virtual directive
>Number: 3323
>Category: mod_include
>Synopsis: Dos style attack with the usage of SSI's include virtual directive
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sat Oct 31 09:40:00 PST 1998
>Last-Modified:
>Originator: sniffen@goodnet.com
>Organization:
apache
>Release: 1.3.3 w/SSL 1.28
>Environment:
OpenBSD 2.3 i386, gcc 2.8.1
>Description:
It has come to my attention that when specifying a
<!--#include virtual="a few /'s(one will do)"-->
directive, you may be able to make apache cause a system to crash eventually.
On my system (AMD K6 200 w/64mb of ram,3200rpm hdd) the load average raised a
steady .2 points each second or so.
Top reported this after starting the "attack":
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
5467 nobody 95 0 13M 9580K run - 2:00 121.24% httpd
Probably 20 seconds or so into it.
This is somewhat similar to the past dos attacks with 1.2.4 and earlier using
a large amount of /'s in the url request.
>How-To-Repeat:
Well, first you have to enable SSI's for the file you are going to use
this include directive in:
---
srm.conf:
AddHandler server-parsed file.type (I put index.html)
---
Within the file.type, inside a document root, you would put
<!--#include virtual="/"-->
The attack comes just from trying to load the file over http.
Even after I stop trying to load the file, apache still consumes more and
more resources until I restart the daemon(sighup is enough).
Will not work if you have too many /'s inside the virtual="" directive.
>Fix:
Someone needs to work on the handle_include() function inside mod_include.c,
adding code to ignore single and consecutive /'s without leading text?
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]