Bug 97922

Summary: mod_rewrite gets stuck in an infinite loop and causes httpd to chew resources until it is killed by the kernel
Product: [Retired] Red Hat Linux Reporter: Jon Benson <jon>
Component: apacheAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 7.1CC: jorton, mjc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-12-12 09:13:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jon Benson 2003-06-24 03:57:08 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 
1.0.3705; .NET CLR 1.1.4322)

Description of problem:
If a user creates a .htaccess file of the appropriate type, please email me 
directly for an example, it will result in an infinite loop and the end result 
will be a runaway httpd proccess taking all the CPU time it can get and an ever 
increasing amount of memory before the kernel kills it.

Adding the following to the .htaccess file will prevent it:
RewriteOptions MaxRedirects=10

But this is supposedly a default value according to:
http://httpd.apache.org/docs/mod/mod_rewrite.html#RewriteOptions

I presume this will also effect other (newer) versions of RedHat but I won't 
have the chance to test this until this evening with 7.3 at home.

Version-Release number of selected component (if applicable):
apache-1.3.27-1.7.1

How reproducible:
Always

Steps to Reproduce:
1. Create appropriate .htaccess file
2. Request a page in IE/Mozilla


Actual Results:  Server load goes out of control until the kernel kills the 
proccess in question.  Multiple requests = multiple processes and a big mess.

Expected Results:  mod_rewrite should have detected the loop and returned an 
Internal Server Error

Additional info:

This bug will only be exploitable if a custom Apache configuration is used as 
the default configuration prevents use of .htaccess files for overriding 
options.

Comment 1 Jon Benson 2003-06-24 05:32:25 UTC
I've just realised that MaxRedirects is listed as supported in Apache 1.3.28 
and above.  As this provides means for a DOS attack I believe RedHat should 
release an errata with the newer version of Apache and hence this support, and 
the default value.


Comment 2 Mark J. Cox 2003-12-12 09:13:31 UTC
We did release an errata that included the new directive. See:
http://rhn.redhat.com/errata/RHSA-2003-243.html