OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1998: Re: DoS attack: apache (& other) .htaccess Authentication

Re: DoS attack: apache (& other) .htaccess Authentication

Dean Gaudet (dgaudet-list-bugtraqARCTIC.ORG)
Fri, 16 Jan 1998 10:51:20 -0800 

On Fri, 16 Jan 1998, Casper Dik wrote:

> Or if you use a default /net automount on Solaris, just open
>
> "/net/far-a-field"
>
> Seems like a problem that's hard to generally fix, other than making
> sure noone gets to write .htaccess files.

If you have to fstat() the .htaccess file anyway you can also ensure that
it's on a device number that's "appropriate".  But this doesn't work so
hot for folks using automounted home directories.  It works just fine if
you've got all your web users on a few local partitions that don't contain
"nasty" files.  (You all have separate / and /export/home right?)

Incidentally this is an alternate solution to the symlink protection
already in apache... the symlink protection is expensive and hard to
configure right.  You can find a sample module for 1.3 at
<http://www.arctic.org/~dgaudet/apache/mod_allowdev.c>.  Before anyone
asks, no I won't port it to 1.2.

Doesn't handle all the cases either.

Opening a file is a critical section because it is a resource that needs
to be tracked.  But a SIGALRM handler could be told that you're in a
critical section, and if it's missing SA_RESTART then it'll cause open()
to return EINTR (or at least it should).  That's enough data to exit many
critical sections safely... but things like opendir() are critical
sections as well, and are stuck in libc and who knows what they do with
EINTR in general.  If we whack open() then someone needs only find a DoS
with opendir().

Or we could just recode opendir()/readdir() using open()/getdents() and
make sure it does the right thing with EINTR.

and on and on.

Dean