Apache Httpd < 2.0.65: apr_fnmatch flaw leads to mod_autoindex remote DoS

2011-03-02T00:00:00
ID HTTPD:F9EDCDE72340E9AB20BDCD0EB3845AD6
Type httpd
Reporter Maksymilian Arciemowicz
Modified 2011-05-21T00:00:00

Description

A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack.

Workaround: Setting the 'IgnoreClient' option to the 'IndexOptions' directive disables processing of the client-supplied request query arguments, preventing this attack.

Resolution: Update APR to release 0.9.20 (to be bundled with httpd 2.0.65)