Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: Apache: Bugs [Bug 47417] New: Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability   Index | Next | Previous | View Flat

bugzilla at apache Jun 24, 2009, 9:30 AM Views: 232 Permalink [Bug 47417] New: Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability https://issues.apache.org/bugzilla/show_bug.cgi?id=47417 Summary: Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability Product: Apache httpd-2 Version: 2.2.11 Platform: All URL: http://isc.sans.org/diary.html?storyid=6601 OS/Version: All Status: NEW Severity: major Priority: P2 Component: Core AssignedTo: bugs[at]httpd.apache.org ReportedBy: sailesh_kyanam[at]fanniemae.com This alleged vulnerability was reported to us by our internal security group. Apparently, all versions of Apache 2.2, including the latest version 2.2.11 are affected by a bug that can cause DoS attacks to be made very trivially. While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server. In this case, the server will open the connection and wait for the complete header to be received. However, the client (the DoS tool) will not send it and will instead keep sending bogus header lines which will keep the connection allocated. The initial part of the HTTP request is completely legitimate: GET / HTTP/1.1\r\n Host: host\r\n User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n Content-Length: 42\r\n After sending this the client waits for certain time – notice that it is missing one CRLF to finish the header which is otherwise completely legitimate. The bogus header line the tools sends is currently: X-a: b\r\n Which obviously doesn't mean anything to the server so it keeps waiting for the rest of the header to arrive. This link at iDefense labs has the code required to run teh exploit: https://ialert.idefense.com/idcontent/2009/exploit_code/487469-Web_Server_HTTP_Header_DoS.php.txt -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org For additional commands, e-mail: bugs-help[at]httpd.apache.org

Subject User Time [Bug 47417] New: Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability bugzilla at apache Jun 24, 2009, 9:30 AM

Index | Next | Previous | View Flat   Apache     Announce     Users     Dev     Bugs     CVS     Docs

Interested in having your list archived? Contact lists@gossamer-threads.com
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.