On Wed Jun 19 17:54:02 2002 +0400 Igor Sysoev wrote:
>On 19 Jun 2002, Ilya Martynov wrote:
>
>> If you still do not know about it:
>>
>> http://httpd.apache.org/info/security_bulletin_20020617.txt
>>
>> Now mod_perl question. mod_perl servers often are used as backend
>> servers. I.e. they are not accessed directly but they are accessed
>> either via fronted Apache or via proxy (like squid or oops) in
>> accelerated mode. As I understand advisory in this case backend
>> mod_perl server is not vulnerable since attacker do not have direct
>> access to it.
>>
>> Can anybody confirm it?
>
>If your backend is proxied via mod_proxy or mod_accel then backend is not
>vulnerable because both modules do not accept client's chunked body at all.
>I can not say anything about Squid and Oops.
>
They have in the changelog for 1.3.26:
* A large number of fixes in mod_proxy including: adding support
for dechunking chunked responses, correcting a timeout problem
<...>
Does this change anything? I.e. backend is still safe?
--
☻ Ričardas Čepas ☺
