Re: Apache 2.x leaked descriptors

From: Christian Kratzer (ck@cksoft.de)
Date: 02/22/03

Next message: jon schatz: "Re: Apache 2.x leaked descriptors"

Previous message: Arturo \: "Re: Paper of insecure in PHP... and doubt in SQL-Injection"
In reply to: Steve Grubb: "Apache 2.x leaked descriptors"
Next in thread: jon schatz: "Re: Apache 2.x leaked descriptors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 22 Feb 2003 13:43:54 +0100 (CET)
From: Christian Kratzer <ck@cksoft.de>
To: Steve Grubb <linux_4ever@yahoo.com>

Hi,

On Fri, 21 Feb 2003, Steve Grubb wrote:

>
>
> Hello,
>
> I noticed a problem with apache 2.x back in October and contacted the
> apache security team with the problem. They've had about 4 months to do
> something with the problem but haven't seen fit to fix it yet. The last
> time I tried to status their progress no one replied to my query.
>
> I was playing around with env_audit studying various properties of
> environments created for child processes. (Study is here -
> http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I
> noticed that apache 2.x leaks 2 open descriptors for each website on a
> machine and the main access & error log for the daemon. These open
> descriptors go to the access and error log of each website.
>
> It appears that every cgi environment has this problem. For example put
> this in a .shtml file:

there is a proposed fix for this in

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17206

the bug seems to have been in apache for quite some time but only
appeared after a typo in the apr library was fixed for apache 2.0.40.
We have also not had a reaction from the apache group yet.

Greetings
Christian Kratzer
CK Software GmbH

-- 
CK Software GmbH
Christian Kratzer,		Schwarzwaldstr. 31, 71131 Jettingen
Email:	ck@cksoft.de
Phone: 	+49 7452 889-135	Open Software Solutions, Network Security
Fax: 	+49 7452 889-136	FreeBSD spoken here!

Next message: jon schatz: "Re: Apache 2.x leaked descriptors"
Previous message: Arturo \: "Re: Paper of insecure in PHP... and doubt in SQL-Injection"
In reply to: Steve Grubb: "Apache 2.x leaked descriptors"
Next in thread: jon schatz: "Re: Apache 2.x leaked descriptors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

direct link prevention on apache
... to log in before they can download files from my website. ... I would like Apache to handle this. ... If one requests a file in a certain ...
(comp.lang.php)
Re: ConnectComputer Page Cannot Be Found
... You need to find out what port the apache server is using, relative to the IIS default website which is on port 80/443. ...
(microsoft.public.windows.server.sbs)
Re: help regarding testing web page
... >: their website. ... > Presumably you have some sort of internet connection. ... > As long as your configs are set up to allow it then your copy of apache ...
(comp.lang.php)
Re: is the _vti_pvt folder safe?
... an Apache support forum. ... is to not allow anonymous access to the website. ... Microsoft MVP ... > install of office XP. ...
(microsoft.public.security)
Re: Optimizing pages
... Install Apache, read: ... and set up a virtual host for each site you're developing ... I checked your on an up and running website and yes, ... I am completely new to Apache, not sure which version to choose, tried to ...
(alt.internet.search-engines)