Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
Apache Web Server mod_cgi Error May Let Malicious CGI Scripts Crash the Web Service
SecurityTracker Alert ID:  1007823
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 27 2003
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.47
Description:   A denial of service vulnerability was reported in the Apache 2.0 web server. A user with the ability to place CGI scripts on the server can cause the web service to hang.

It is reported that CGI scripts that generate more than 4k of output to STDERR will cause the CGI script to hang. This, in turn, may cause the Apache httpd process to hang while waiting for additional input from the CGI process due to a locked write() function call in mod_cgi.

The Apache httpd server may fail to respond to subsequent requests.

A demonstration exploit script is provided in the Source Message.

Brandon Black is credited with reporting this flaw.

Impact:   A user with privileges to place CGI scripts on the server can call a malicious script that will cause the httpd process to hang.
Solution:   The vendor has issued a fixed version of mod_cgi.c, available from the Apache 2.1 CVS repository.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 27 2003 (Mandrake Issues Fix) Apache Web Server mod_cgi Error May Let Malicious CGI Scripts Crash the Web Service
Mandrake has released a fix.

 Source Message Contents


 > Apache 2.0.47

 > SECURITY: 4097+ bytes of stderr from cgi script causes script to hang

Reported by Brandon Black

 > If a cgi script under mod_cgi outputs more than 4096 bytes of stderr before it
 > finishes writing to and closing its stdout, the write() inthe cgi script
 > containing the 4097th byte of stderr will hang indefinitely, hanging the
 > script's execution.
 > This appears to be cause by the fact that mod_cgi reads all stdout output
 > first, and then begins reading stderr output.  APR's file_io which is handling
 > the streams will only buffer 4096 characters before further writes by the
 > script to stderr will hang, waiting for mod_cgi to read some of the data from
 > the stream via APR file_io.
 > This occured for me where a perl cgi script was producing a large volume of
 > harmless warning messages to ssl_error_log before it got to the part of it's
 > execution where it actually wrote the stdout output, and causing the script to
 > hang and produce no output to the end user.  Below is a test script to
 > demonstrate:
 > #!/usr/bin/perl
 > # 24x170 = 4080 bytes to stderr
 > foreach my $x (1..24) {
 >   print STDERR 'X' x 169 . "\n";
 > }
 > # + 17 more bytes, putting us at 4097
 > # Delete one char from the print below to make
 > # it work again
 > print STDERR "0123456789ABCDEF\n";
 > # Our actual script output, which never comes
 > print "Content-type: text/plain\n\nASDF\n";


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC