Vigil@nce: Apache httpd, denial of service via mod_proxy_ajp
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When mod_proxy_ajp is used with mod_proxy_balancer, an attacker
can use an unknown HTTP method, in order to create a denial of
service.
– Severity: 2/4
– Creation date: 14/09/2011
IMPACTED PRODUCTS
– Apache httpd
– HP-UX
DESCRIPTION OF THE VULNERABILITY
The mod_proxy module provides a generic proxy service for Apache
httpd. The mod_proxy_ajp module adds the AJP13 (Apache JServe
Protocol version 1.3) support, which is used with Tomcat. The
mod_proxy_balancer module is used to balance the load between
several proxies.
The HTTP protocol defines a list of methods (GET, POST, etc.)
which are used in queries.
The ap_proxy_ajp_request() function of the
modules/proxy/mod_proxy_ajp.c file does not ignore unknown HTTP
methods. However, when mod_proxy_balancer is also used, the
associated proxy enters in an error state. Using several queries,
an attacker can thus stop all balanced proxies.
When mod_proxy_ajp is used with mod_proxy_balancer, an attacker
can therefore use an unknown HTTP method, in order to create a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-httpd-denial-of-service-via-mod-proxy-ajp-10991