Apache Web Server Type-Map递归循环远程拒绝服务漏洞

发布时间：2003-07-08
更新时间：2003-07-09
严重程度：中
威胁程度：本地拒绝服务
错误类型：设计错误
利用方式：服务器模式

BUGTRAQ ID：8138

受影响系统

Apache Software Foundation Apache 2.0.43
Apache Software Foundation Apache 2.0.44
   + MandrakeSoft Linux Mandrake 9.1
   + MandrakeSoft Linux Mandrake 9.1 ppc
Apache Software Foundation Apache 2.0.45
   - Apple MacOS X 10.0
   - Apple MacOS X 10.0.1
   - Apple MacOS X 10.0.2
   - Apple MacOS X 10.0.3
   - Apple MacOS X 10.0.4
   - Apple MacOS X 10.1
   - Apple MacOS X 10.1
   - Apple MacOS X 10.1.1
   - Apple MacOS X 10.1.2
   - Apple MacOS X 10.1.3
   - Apple MacOS X 10.1.4
   - Apple MacOS X 10.1.5
   - Apple MacOS X 10.2
   - Apple MacOS X 10.2.1
   - Apple MacOS X 10.2.2
   - Apple MacOS X 10.2.3
   - Apple MacOS X 10.2.4
   - Apple MacOS X 10.2.5
   - Apple MacOS X 10.2.6
   + Conectiva Linux 9.0
Apache Software Foundation Apache 2.0.46
   + Trustix Secure Linux 2.0

详细描述
Apache HTTP Server v2支持内容协商功能，可根据浏览器功能和语言自动向客户机提供内容。

type-map问是用于资源协商的其中一个方法。本地攻击者可以是APACHE HTTP服务解析恶意type-map文件触发循环，消耗大量资源而造成拒绝服务。

测试代码
尚无

解决方案
补丁下载：

Apache Software Foundation Apache 2.0.43:

Apache Software Foundation Upgrade Apache httpd 2.0.47
http://httpd.apache.org/download.cgi

Apache Software Foundation Apache 2.0.44:

Apache Software Foundation Upgrade Apache httpd 2.0.47
http://httpd.apache.org/download.cgi

Apache Software Foundation Apache 2.0.45:

Apache Software Foundation Upgrade Apache httpd 2.0.47
http://httpd.apache.org/download.cgi

Apache Software Foundation Apache 2.0.46:

Apache Software Foundation Upgrade Apache httpd 2.0.47
http://httpd.apache.org/download.cgi

相关信息
参考：http://www.lac.co.jp/security/english/snsadv_e/66_e.html
相关主页：http://www.apache.org/dist/httpd/CHANGES_2.0

最近严重漏洞

Apache Web Server Type-Map递归循环远程拒绝服务漏洞