|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jay D. Dyson (jdyson
treachery.net)Date: Wed Jun 19 2002 - 20:12:59 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 20 Jun 2002, Przemyslaw Frasunek wrote:
> I was playing a bit with chunked encoding vulnerability and found the
> following. When I send a request to Apache 1.3.24 using malformed
> chunked encoding, httpd process goes into infinite loop and CPU load
> grows to 100%.
<snip>
> Can anyone try it with 1.3.26?
It appears that Apache v1.3.26 is immune to that style of attack.
I attempted it on one of my servers and the response was thus:
HTTP/1.1 400 Bad Request
Date: Thu, 20 Jun 2002 01:03:49 GMT
Server: Rocket_Science_Server/9.11.2001 (StratOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1
<Snipped HTML>
I also had 'top' running in another session and it didn't even
register a blip.
- -Jay
( ( _______
)) )) .--"There's always time for a good cup of coffee"--. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdysontreachery.net ------<) | = |-'
`--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQE9ESweGI2IHblM+8ERApRjAKCei2b/VGZzEyuBYvnou5C73U5PKACeMLA2
ETiTimiQEbMz0tPYRTi9Cnk=
=Zuoo
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]