Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

protocol for reporting bug that 'may' be considered exploit

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


toadie643 at gmail

Jun 29, 2009, 9:10 PM

Post #1 of 3 (464 views)
Permalink
protocol for reporting bug that 'may' be considered exploit
Hello,

I think we may have discovered an issue with mod_proxy that 'could' be
used as an exploit to render an Apache server useless. I normally
report more benign bugs via the normal bug reporting interface.
However, this one bug is quite easy to create an exploit for so I am
looking for guidance on how to report this issue. Should I report
this on the apache bug tool (which will make this info publicly
available) ?

What I have so far

1. a confirmed repro of the bug
2. a general area where we think the offending line in the code is
causing the problem
3. attempted to fix the bug and created a patch but to no avail (we
aren't familiar with the apr* modules and various ap* functions.)

In addition I have scanned through the bug DB and found several
instances of similar symptoms that we have observed around issues with
mod_proxy. None of the bug a repro. I believe we could have found a
repro case that consistently causes a lockup in Apache.

Because of the sensitivity of this bug and its relative ease to craft
an exploit, let me know how to proceed. We are willing to work with
one or more individuals on the apache team who are familiar with the
code to repro and test one or more patches.

If the normal procedure is to report the bug via the Apache bug db,
please let me know.

Thanks in advance.

PS: During our discovery, we also found another bug but it's more
benign and I will file it as a separate bug


covener at gmail

Jun 29, 2009, 9:24 PM

Post #2 of 3 (419 views)
Permalink
Re: protocol for reporting bug that 'may' be considered exploit [In reply to]
On Tue, Jun 30, 2009 at 12:10 AM, Toadie<toadie643 [at] gmail> wrote:
> Hello,
>
> I think we may have discovered an issue with mod_proxy that 'could' be
> used as an exploit to render an Apache server useless.

report via email to security [at] apache ( more detail at
http://www.apache.org/security/ )


--
Eric Covener
covener [at] gmail


toadie643 at gmail

Jun 29, 2009, 10:19 PM

Post #3 of 3 (421 views)
Permalink
Re: protocol for reporting bug that 'may' be considered exploit [In reply to]
Thank you!

Will file one shortly.



On Mon, Jun 29, 2009 at 9:24 PM, Eric Covener<covener [at] gmail> wrote:
> On Tue, Jun 30, 2009 at 12:10 AM, Toadie<toadie643 [at] gmail> wrote:
>> Hello,
>>
>> I think we may have discovered an issue with mod_proxy that 'could' be
>> used as an exploit to render an Apache server useless.
>
> report via email to security [at] apache ( more detail at
> http://www.apache.org/security/ )
>
>
> --
> Eric Covener
> covener [at] gmail
>

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.