Bug 97922 - mod_rewrite gets stuck in an infinite loop and causes httpd to chew resources until it is killed by the kernel
mod_rewrite gets stuck in an infinite loop and causes httpd to chew resources...
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: apache (Show other bugs)
7.1
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-06-23 23:57 EDT by Jon Benson
Modified: 2007-03-27 00:07 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-12-12 04:13:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jon Benson 2003-06-23 23:57:08 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 
1.0.3705; .NET CLR 1.1.4322)

Description of problem:
If a user creates a .htaccess file of the appropriate type, please email me 
directly for an example, it will result in an infinite loop and the end result 
will be a runaway httpd proccess taking all the CPU time it can get and an ever 
increasing amount of memory before the kernel kills it.

Adding the following to the .htaccess file will prevent it:
RewriteOptions MaxRedirects=10

But this is supposedly a default value according to:
http://httpd.apache.org/docs/mod/mod_rewrite.html#RewriteOptions

I presume this will also effect other (newer) versions of RedHat but I won't 
have the chance to test this until this evening with 7.3 at home.

Version-Release number of selected component (if applicable):
apache-1.3.27-1.7.1

How reproducible:
Always

Steps to Reproduce:
1. Create appropriate .htaccess file
2. Request a page in IE/Mozilla


Actual Results:  Server load goes out of control until the kernel kills the 
proccess in question.  Multiple requests = multiple processes and a big mess.

Expected Results:  mod_rewrite should have detected the loop and returned an 
Internal Server Error

Additional info:

This bug will only be exploitable if a custom Apache configuration is used as 
the default configuration prevents use of .htaccess files for overriding 
options.
Comment 1 Jon Benson 2003-06-24 01:32:25 EDT
I've just realised that MaxRedirects is listed as supported in Apache 1.3.28 
and above.  As this provides means for a DOS attack I believe RedHat should 
release an errata with the newer version of Apache and hence this support, and 
the default value.
Comment 2 Mark J. Cox (Product Security) 2003-12-12 04:13:31 EST
We did release an errata that included the new directive. See:
http://rhn.redhat.com/errata/RHSA-2003-243.html

Note You need to log in before you can comment on or make changes to this bug.