Re: DoS attack: apache (& other) .htaccess Authentication

Sevo Stille (sevo@inm.de)
Thu, 15 Jan 1998 12:53:54 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: DilDog: "Temporary fix for MSIE4.01 bug"
Previous message: Richard Trott: "Excite announcement"
Maybe in reply to: jan@WEDEKIND.DE: "DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Marc Slemko: "Re: DoS attack: apache (& other) .htaccess Authentication"

jan@WEDEKIND.DE wrote:

> Sorry, if already known (not found anywhere or even heared about):
>
> At the beginning of the week (after the release of apache 1.2.5)
> we discoverd a DoS attack in apache and (eventually) other / all (?)
> httpd's. Many thanks to Bernard "sendmail" Steiner <bs@de.uu.net>,
> who got the important idea.
>
> For apache 1.2.x (and very sure all versions before), the
> DoS may be exploited if both of the following conditions are true:
>
> - the intruder has (at least FTP) write access to (at least)
> one HTML directory
>
> - per directory access (AccessFileName configuration directive)
> is enabled and the filename is known to the intruder
> (default is .htaccess)

And (most important):

- AllowOverride has been set up to allow AuthConfig overrides in an
untrusted users directory.

This is a serious configuration error. AllowOverride can be used to give
users access to very considerable portions of the server setup. Untrusted
users should have no (or strictly limited) access to the server
configuration. Fully enabled .htaccess files can easily be abused to lock
up or bring down the server or circumvent security restrictions in many
different ways!

> (...)
> possible fixes:
>
> a) workaround
>
> Disable .htaccess in srm.conf by commenting out AccessFileName:
> (default is NULL in the apache distribution, e.g. disabled)
>
> #AccessFileName .htaccess

A more reasonable workaround than disabling access restrictions for all
users or trying to patch the server against handling unsafe files would be
not to allow AuthConfig overrides for untrusted users. There should be no
need to allow users to specify their own password file anyway - the name
and location provided by the server administration is fully
sufficient.AllowOverride can and should be set to None or Limit unless you
have very good reasons to give the user more access to the server
configuration - AuthConfig can (apart from the described DoS attacks) be
abused for password probing and all other overrides (Options, FileInfo and
Indexes) can be abused to publish any document readable by the server
process.

regards
Sevo

--
Sevo Stille                                        sevo@inm.de
Web Department
inm numerical magic GmbH    Tel: ++49 (69) 9419630
Daimlerstrasse 32    Fax: ++49 (69) 94196322
D 60314 Frankfurt a.M.

Next message: DilDog: "Temporary fix for MSIE4.01 bug"
Previous message: Richard Trott: "Excite announcement"
Maybe in reply to: jan@WEDEKIND.DE: "DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Marc Slemko: "Re: DoS attack: apache (& other) .htaccess Authentication"