Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Jun 2002 02:06:20 -0700
From:      Terry Lambert <tlambert2@mindspring.com>
To:        Joshua Lee <yid@softhome.net>
Cc:        root@utility.clubscholarship.com, freebsd-hackers@freebsd.org
Subject:   Re: inuring FreeBSD to the apache bug without upgrading apache ?
Message-ID:  <3D158F8C.8AA61132@mindspring.com>
References:  <20020620141424.U68572-100000@utility.clubscholarship.com> <3D129688.356A87D0@mindspring.com> <20020623003014.1575c491.yid@softhome.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Joshua Lee wrote:
> Terry Lambert <tlambert2@mindspring.com> wrote:
> > Patrick Thomas wrote:
> > > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
> > > system is no longer vulnerable to the "chunking" attack, even if you are
> > > still running a vulnerable apache ?
> >
> > Not FreeBSD, but it's possible to reconfigure Apache.
> >
> > The way you would deal with this would be to tell Apache that it
> > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature.
> 
> I've found a better solution! On today's freshports there is something
> called mod_blowchunks :-) If installed, it will reject chunking and log
> it. This is an alternative to upgrading Apache.

But if a client uses chunking legitimately, and does so becuase
it believes it's talking to an HTTP server, you've just broken
that client's ability to POST/PUT.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D158F8C.8AA61132>