Bug#663723: Critical memory leak with mod_rewrite in apache2 using german umlauts
severity 663723 wishlist
tags 663723 -security
retitle 663723 apache2 does not prevent DoS through .htaccess files
thanks
On Tuesday 13 March 2012, Patrick Matthäi wrote:
> I noticed on a customers server, that apache periodical crashes the
> whole system by using the whole available memory until it swaps
> away.
>
> RewriteEngine on
> RewriteBase /
> RewriteRule ^(.*)\xC3\x84(.*)$ $1Ä$2 [N,E=utf8_fixed:1]
The problem is not the special character but that this regular
expression has quadratic complexity in the string length. Using (.*?)
instead of (.*) everywhere will likely fix it.
This is a general problem when using regular expressions. And being
allowed to use .htaccess means having access to regular expressions.
> Now the server runs out of memory very fast!
>
> This is especialy a big problem for shared hosters with mod_rewrite
> enabled (most vhosts require them today) where users could put
> their own .htaccess to the documentroot
While I don't deny that this is a problem for some use cases, it is a
fact that the .htaccess mechanism has not been designed with limiting
local DoS attacks in mind. There are many ways to cause a DoS with
crafted .htaccess files. Some of these cannot be fixed without
breaking compatibility, i.e. not within 2.2.x or 2.4.x. Therefore,
picking out a few of these issues and fixing them in Debian does not
make any sense. If you use prefork, you can work around this by adding
suitable ulimit calls in /etc/apache2/envvars.
Upstream does not consider these issues security relevant, either:
http://mail-archives.apache.org/mod_mbox/httpd-
dev/201111.mbox/%3C4EC6DE56.9020701@rowe-clan.net%3E
Reply to: