Skip to content
/ htpasswdos Public

Proof of concept for Apache htpasswd denial of service

License

Unlicense license
4 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hannob/htpasswdos

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
htpasswdos-manual
htpasswdos-manual
 
 
htpasswdos-php
htpasswdos-php
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
apr-util-1.5-limit-dos.diff
apr-util-1.5-limit-dos.diff
 
 

Repository files navigation

background

htpasswDoS: Local Denial of Service via Apache httpd password hashes

htpasswdos

In this repository you'll find examples to cause a denial of service via htpasswd files in Apache httpd.

In the subdirectory htpasswdos-manual you can find a simple .htaccess and password file. Uploading that to a webserver with htaccess and authentication enabled and trying to log into it with the username guest and any password will cause several hours of ressource exhaustion on the server. The file path in the file "pass" needs to be adapted.

In the subdirectory htpasswdos-php you'll find a php script that will do all that automatically. It'll create a suitable .htaccess and password file in a subdirectory and will then call it multiple times via iframes.

If you want to protect against this kind of attack you can apply this patch against apr-util. This was applied upstream in apr-util 1.6.0.

About

Proof of concept for Apache htpasswd denial of service

Resources

Readme

License

Unlicense license
Activity

Stars

4 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages