53 points | by Yenrabbit 3 days ago ago
7 comments
Not ideal.
This appears to be fixed as of April (at least for Apache). [0].
[0] - https://github.com/nginx/nginx/commit/365694160a85229a7cb006...
> We disclosed to Apache on May 27, and Stefan Eissing fixed it on the same day by making cookie headers count against LimitRequestFields.
I was about to say, the bug here isn't in the protocol, it's that memory use isn't being counted & limited as it should... and, yeah.
I'm a bit surprised this happened to Apache, though. APR uses pool allocators. That should be easy enough to track and limit...
After reading the article, I can conclude that Codex discovered nothing new.
This is already something that is known, and if you're able to be targeted by this (which is not the majority of users) configure your httpd differently.
Apache and nginx maintainers implemented fixes one or two days after the author reported, so how do you mean this was known already?
AFIAK, it was already being actively exploited in DDoS attacks.
Couldn’t simple fuzzing have found this?
Not really, as it wasn't found for close to a decade (>5 years for most webservers).
Not ideal.
This appears to be fixed as of April (at least for Apache). [0].
[0] - https://github.com/nginx/nginx/commit/365694160a85229a7cb006...
> We disclosed to Apache on May 27, and Stefan Eissing fixed it on the same day by making cookie headers count against LimitRequestFields.
I was about to say, the bug here isn't in the protocol, it's that memory use isn't being counted & limited as it should... and, yeah.
I'm a bit surprised this happened to Apache, though. APR uses pool allocators. That should be easy enough to track and limit...
After reading the article, I can conclude that Codex discovered nothing new.
This is already something that is known, and if you're able to be targeted by this (which is not the majority of users) configure your httpd differently.
Apache and nginx maintainers implemented fixes one or two days after the author reported, so how do you mean this was known already?
AFIAK, it was already being actively exploited in DDoS attacks.
Couldn’t simple fuzzing have found this?
Not really, as it wasn't found for close to a decade (>5 years for most webservers).