Proof of concept for Apache htpasswd denial of service
PHP ApacheConf
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
htpasswdos-manual
htpasswdos-php
LICENSE
README.md
apr-util-1.5-limit-dos.diff

README.md

background

htpasswDoS: Local Denial of Service via Apache httpd password hashes

htpasswdos

In this repository you'll find examples to cause a denial of service via htpasswd files in Apache httpd.

In the subdirectory htpasswdos-manual you can find a simple .htaccess and password file. Uploading that to a webserver with htaccess and authentication enabled and trying to log into it with the username guest and any password will cause several hours of ressource exhaustion on the server. The file path in the file "pass" needs to be adapted.

In the subdirectory htpasswdos-php you'll find a php script that will do all that automatically. It'll create a suitable .htaccess and password file in a subdirectory and will then call it multiple times via iframes.

If you want to protect against this kind of attack you can apply this patch against apr-util.