https://issues.apache.org/bugzilla/show_bug.cgi?id=48509
Summary: Apache crashes when POSTing to apache and altering the
conent-length
Product: Apache httpd-2
Version: 2.2.14
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: major
Priority: P2
Component: mod_isapi
AssignedTo: [email protected]
ReportedBy: [email protected]
To reproduce:
-------------
send a valid POST request to your ISAPI dll
start fiddler2 and copy the request to the 'Request Builder'
go to 'Request Builder'->'Options' and untick 'Fix Content-Length header'
go to 'Request Builder'->'Parsed' and manually change the 'Content-Length:' to
1
now press execute a few times fast, in my test Apache crashes after 1-10 clicks
Reason:
-------
when the post command is tampered with as above, the call to
ap_get_client_block in isapi_handler (sometimes?) fails.
as a result the isapi dll is unloaded - this is dangerous !! other threads
processing other requests have already acquired the pointer to the dll function
and now try to call it with the dll not in memory which crashes apache.
Solution:
---------
there is no reason to unload the isapi dll in isapi_handler, it is dagerous and
does not provide any benefit. In mod_isapi.c I have remarked all (2) calls to
isapi_unload and left only the one in cleanup_isapi which if I understand
correctly only gets called when Apache exits (although I think it can be
removed as well). In testing this solves the issue.
Security
--------
I can't see how a hacker can manipulate the address pointer but it's still a
fact that the server tries to jump to an invalid function pointer.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
