From owner-freebsd-hackers  Thu Jun 20 20: 0:27 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49])
	by hub.freebsd.org (Postfix) with ESMTP id 15CEA37B413
	for <freebsd-hackers@freebsd.org>; Thu, 20 Jun 2002 20:00:13 -0700 (PDT)
Received: from pool0544.cvx21-bradley.dialup.earthlink.net ([209.179.194.34] helo=mindspring.com)
	by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #2)
	id 17LEeW-0007fP-00; Thu, 20 Jun 2002 20:00:01 -0700
Message-ID: <3D129688.356A87D0@mindspring.com>
Date: Thu, 20 Jun 2002 19:59:20 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Patrick Thomas <root@utility.clubscholarship.com>
Cc: freebsd-hackers@freebsd.org
Subject: Re: inuring FreeBSD to the apache bug without upgrading apache ?
References: <20020620141424.U68572-100000@utility.clubscholarship.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Patrick Thomas wrote:
> Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
> system is no longer vulnerable to the "chunking" attack, even if you are
> still running a vulnerable apache ?

Not FreeBSD, but it's possible to reconfigure Apache.

The way you would deal with this would be to tell Apache that it
was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature.

The only place this is an issue is if you need to reuse an HTTP
connection, and that only occurs in HTTP 1.1 when you are doing
pipelining.  Everywhere else, you can indicate an end of data
by having the server close the connection.

Thus you do not need to use chunking in order to get around the
fact that the CGI was written by someone who did not attach a
proper "Content-Length:" header because they were too lazy to
determine ahjead of time how much data they would be putting out.

The exploit is chunking from the client to the server.  I guess
you would have to endure that Apache in 1.0 mode refused chunked
data in POST's, etc. (last time I looked at the source code, I
thought it did).

This won't work if you are requiring 1.1 features for your applciation,
but in most cases, no one uses these features much anyway.

Though turning this off if you have a Netscaler or a similar
connection reusing cache might drop your overall throughput,
so if you are over the border on that, you may want to take that
into account (most people don't know what their web servers are
doing anyway, so it's probably never going to make a difference
for you, anyway).

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message