[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858373: apache2: segfaults upon recieving bad request when using worker/event mpm and cgid errordoc

Package: apache2.2-common
Version: 2.2.22-13+deb7u8
Severity: normal
Tags: security

Dear Maintainer,

We have some websites running on Debian Wheezy, so still using Apache 2.2.22, that are configured either in Worker or Event MPM (so are using mod_cgid in what follows), and have a custom "ErrorDocument 400" directive that points at a perl script for providing custom ModSecurity error.

I haven't dug up an older version of the package from snapshots to confirm this, but I think that since the recently backported HttpProtocolOptions directive to that version (BTW, where was that announced - I had to run strings on the binary to find it), I've been seeing a lot of segfault/coredumps registered in the Apache error logs.

After some analysis, I've found that I can reproduce the error with a fairly trivial shell command:

# echo -ne "GET / HTTP/1.0\n" | nc $some_website 80

From the coredump, I was able to find that this line (1371) in the
cgid_handler() code in the modules/generators/mod_cgid.c source file has a null pointer issue on the r->protocol field:

	is_included = !strcmp(r->protocol, "INCLUDED");

Seems like a bit of a security issue to me.

No combination of adjustments to the HttpProtocolOptions directive seemed to help from what I could see.

I also haven't been able to reproduce this issue on a Prefork MPM backend webserver.

Varying the details of the perl ErrorDocument script's implementation don't appear to help either (eg: it still occurs even with a simple hello world script).

The error still occurs if I disable ModSecurity, but leave the ErrorDocument for 400 messages.

Let me know if you need any more details or have any questions.


-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
 alias auth_basic authn_file authz_default authz_groupfile
 authz_host authz_user autoindex cgid deflate dir env expires
 headers include info mime mod-security negotiation reqtimeout
 rewrite rpaf setenvif shib2 ssl status unique_id userdir*
 (A * means that the .conf file for that module is not enabled in

-- System Information:
Debian Release: 7.11
 APT prefers oldstable
 APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-0.bpo.4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-worker  2.2.22-13+deb7u8
ii  apache2.2-common    2.2.22-13+deb7u8

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils  2.2.22-13+deb7u8
ii  apache2.2-bin  2.2.22-13+deb7u8
ii  lsb-base       4.1+Debian8+deb7u1
ii  mime-support   3.52-1+deb7u1
ii  perl           5.14.2-21+deb7u4
ii  procps         1:3.3.3-3

Versions of packages apache2.2-common recommends:
pn  ssl-cert  <none>

Versions of packages apache2.2-common suggests:
pn  apache2-doc                             <none>
pn  apache2-suexec | apache2-suexec-custom  <none>
ii  lynx-cur [www-browser]                  2.8.8dev.12-2+deb7u1

-- no debconf information

Reply to: