>Number: 3323 >Category: mod_include >Synopsis: Dos style attack with the usage of SSI's include virtual >directive >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Oct 31 09:40:00 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 w/SSL 1.28 >Environment: OpenBSD 2.3 i386, gcc 2.8.1 >Description: It has come to my attention that when specifying a <!--#include virtual="a few /'s(one will do)"--> directive, you may be able to make apache cause a system to crash eventually. On my system (AMD K6 200 w/64mb of ram,3200rpm hdd) the load average raised a steady .2 points each second or so. Top reported this after starting the "attack": PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND 5467 nobody 95 0 13M 9580K run - 2:00 121.24% httpd Probably 20 seconds or so into it. This is somewhat similar to the past dos attacks with 1.2.4 and earlier using a large amount of /'s in the url request. >How-To-Repeat: Well, first you have to enable SSI's for the file you are going to use this include directive in: --- srm.conf: AddHandler server-parsed file.type (I put index.html) --- Within the file.type, inside a document root, you would put <!--#include virtual="/"--> The attack comes just from trying to load the file over http. Even after I stop trying to load the file, apache still consumes more and more resources until I restart the daemon(sighup is enough). Will not work if you have too many /'s inside the virtual="" directive. >Fix: Someone needs to work on the handle_include() function inside mod_include.c, adding code to ignore single and consecutive /'s without leading text? >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
