On Fri, 21 Jun 2002, Richard [utf-8] Čepas wrote: > On Wed Jun 19 17:54:02 2002 +0400 Igor Sysoev wrote: > > >On 19 Jun 2002, Ilya Martynov wrote: > > > >> If you still do not know about it: > >> > >> http://httpd.apache.org/info/security_bulletin_20020617.txt > >> > >> Now mod_perl question. mod_perl servers often are used as backend > >> servers. I.e. they are not accessed directly but they are accessed > >> either via fronted Apache or via proxy (like squid or oops) in > >> accelerated mode. As I understand advisory in this case backend > >> mod_perl server is not vulnerable since attacker do not have direct > >> access to it. > >> > >> Can anybody confirm it? > > > >If your backend is proxied via mod_proxy or mod_accel then backend is not > >vulnerable because both modules do not accept client's chunked body at all. > >I can not say anything about Squid and Oops. > > > > They have in the changelog for 1.3.26: > * A large number of fixes in mod_proxy including: adding support > for dechunking chunked responses, correcting a timeout problem > <...> > > Does this change anything? I.e. backend is still safe?
In 1.3.24 mod_proxy try to support chunked responses that go from servers. It never supports client's chunked body. As far as I know now there are no browsers that send chunked body. Igor Sysoev http://sysoev.ru