Red Hat Bugzilla – Bug 97922
mod_rewrite gets stuck in an infinite loop and causes httpd to chew resources until it is killed by the kernel
Last modified: 2007-03-27 00:07:20 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Description of problem: If a user creates a .htaccess file of the appropriate type, please email me directly for an example, it will result in an infinite loop and the end result will be a runaway httpd proccess taking all the CPU time it can get and an ever increasing amount of memory before the kernel kills it. Adding the following to the .htaccess file will prevent it: RewriteOptions MaxRedirects=10 But this is supposedly a default value according to: http://httpd.apache.org/docs/mod/mod_rewrite.html#RewriteOptions I presume this will also effect other (newer) versions of RedHat but I won't have the chance to test this until this evening with 7.3 at home. Version-Release number of selected component (if applicable): apache-1.3.27-1.7.1 How reproducible: Always Steps to Reproduce: 1. Create appropriate .htaccess file 2. Request a page in IE/Mozilla Actual Results: Server load goes out of control until the kernel kills the proccess in question. Multiple requests = multiple processes and a big mess. Expected Results: mod_rewrite should have detected the loop and returned an Internal Server Error Additional info: This bug will only be exploitable if a custom Apache configuration is used as the default configuration prevents use of .htaccess files for overriding options.
I've just realised that MaxRedirects is listed as supported in Apache 1.3.28 and above. As this provides means for a DOS attack I believe RedHat should release an errata with the newer version of Apache and hence this support, and the default value.
We did release an errata that included the new directive. See: http://rhn.redhat.com/errata/RHSA-2003-243.html