Re: Apache 2.0.(39|40) DOS (PHP!)

[ulfh () Update UU SE (Ulf H{rnhammar)]

On Mon, Sep 23, 2002 at 12:33:04PM -0700, shaddup () hush com wrote:
> - -=~=-_-=~=-_-=~=-
> I put PHP in the title so I know this message will reach the "sekur1ty c0mmun1ty", that *knows* that PHP is bad, 
> because it's easy to write insecure applications, unlike C.
> - -=~=-_-=~=-_-=~=-
> Problem:
>  o Apache 2.0 (.39 and .40 tested) on Linuxx0r (and possibly other OS's)
>  will hang on a write to stderr that is larger than the default buffer
>  size (4k on Linux)
> Impact:
>  o Local users can cause apache's httpd process to hang
>  o Possible new DoS to look for in web apps that write
>  user input to stderr!

*whiny voice* This is a bug in the web applications, and not in Apache. *moan*

// Ulf