Revival of an Unpatched Apache HTTPD DoS
Readers have been writing in and I wanted to get this out to for info and comment. I have not had a chance to test it out myself. It first surfaced in 2007 by Michal Zalewski on bugtraq. [1] It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.
It formally resurfaced last Friday with a proof of concept. A CVE is in draft and a patch is expected in a few days by the Apache team. You can read a discussion about it on the Apache HTTPD dev mailing list. [2] The link provides details on some mitigation measures to be taken. When I get chance I will test and report back.
In the mean time please share your experiences with your fellow readers with a comment.
[1] http://seclists.org/bugtraq/2007/Jan/83
[2] http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2
-Kevin
--
ISC Handler on Duty
Comments
Jim
Aug 25th 2011
1 decade ago
VJ
Aug 25th 2011
1 decade ago
This is not the first time taking the minimalist (least privilege) approach has paid off for me. :-)
VJ
Aug 25th 2011
1 decade ago
http://compusec.org/?p=111
Albert
Aug 25th 2011
1 decade ago
Disabling mod_gzip/mod_deflate is NOT A FIX, but considering the kiddies might save you a lot of grief.
Patrick
Aug 26th 2011
1 decade ago
Better read the "official" posting on the apache announce list that has updated info
http://marc.info/?l=apache-httpd-announce&m=131420273523300&w=2
Patrick
Aug 26th 2011
1 decade ago
I would encourage you to do the same if you can...
CS
Aug 26th 2011
1 decade ago
http://seclists.org/fulldisclosure/2011/Aug/301
CS
Aug 26th 2011
1 decade ago