Date: Thu, 20 Jun 2002 19:59:20 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Patrick Thomas <root@utility.clubscholarship.com> Cc: freebsd-hackers@freebsd.org Subject: Re: inuring FreeBSD to the apache bug without upgrading apache ? Message-ID: <3D129688.356A87D0@mindspring.com> References: <20020620141424.U68572-100000@utility.clubscholarship.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick Thomas wrote: > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your > system is no longer vulnerable to the "chunking" attack, even if you are > still running a vulnerable apache ? Not FreeBSD, but it's possible to reconfigure Apache. The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data by having the server close the connection. Thus you do not need to use chunking in order to get around the fact that the CGI was written by someone who did not attach a proper "Content-Length:" header because they were too lazy to determine ahjead of time how much data they would be putting out. The exploit is chunking from the client to the server. I guess you would have to endure that Apache in 1.0 mode refused chunked data in POST's, etc. (last time I looked at the source code, I thought it did). This won't work if you are requiring 1.1 features for your applciation, but in most cases, no one uses these features much anyway. Though turning this off if you have a Netscaler or a similar connection reusing cache might drop your overall throughput, so if you are over the border on that, you may want to take that into account (most people don't know what their web servers are doing anyway, so it's probably never going to make a difference for you, anyway). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D129688.356A87D0>