Bug 97922 - mod_rewrite gets stuck in an infinite loop and causes httpd to chew resources until it is killed by the kernel
Summary: mod_rewrite gets stuck in an infinite loop and causes httpd to chew resources...
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: apache   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-06-24 03:57 UTC by Jon Benson
Modified: 2007-03-27 04:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-12-12 09:13:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jon Benson 2003-06-24 03:57:08 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 
1.0.3705; .NET CLR 1.1.4322)

Description of problem:
If a user creates a .htaccess file of the appropriate type, please email me 
directly for an example, it will result in an infinite loop and the end result 
will be a runaway httpd proccess taking all the CPU time it can get and an ever 
increasing amount of memory before the kernel kills it.

Adding the following to the .htaccess file will prevent it:
RewriteOptions MaxRedirects=10

But this is supposedly a default value according to:

I presume this will also effect other (newer) versions of RedHat but I won't 
have the chance to test this until this evening with 7.3 at home.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create appropriate .htaccess file
2. Request a page in IE/Mozilla

Actual Results:  Server load goes out of control until the kernel kills the 
proccess in question.  Multiple requests = multiple processes and a big mess.

Expected Results:  mod_rewrite should have detected the loop and returned an 
Internal Server Error

Additional info:

This bug will only be exploitable if a custom Apache configuration is used as 
the default configuration prevents use of .htaccess files for overriding 

Comment 1 Jon Benson 2003-06-24 05:32:25 UTC
I've just realised that MaxRedirects is listed as supported in Apache 1.3.28 
and above.  As this provides means for a DOS attack I believe RedHat should 
release an errata with the newer version of Apache and hence this support, and 
the default value.

Comment 2 Mark J. Cox 2003-12-12 09:13:31 UTC
We did release an errata that included the new directive. See:

Note You need to log in before you can comment on or make changes to this bug.