Re: Vulnerability Report

[mcatanzaro gnome org]

Hi constantine, not sure how we missed this. Forwarding it on to 
infrastructure security response:

Hi Andrea/secresp, could you look into this please? The description in 
the mitigation link is detailed. Looks like we need to enable 
ModReqtimeout.

Michael

On Wed, Feb 27, 2019 at 8:00 AM, constantine via security-list 
<security-list gnome org> wrote:
> To whom it may concern,
> I reported this issue more than 1 month ago and I didn't take any 
> answer, would you please let me know if you need more details?
> Best Regards
> Hosein Askari
>
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, January 25, 2019 10:44 AM, constantine 
> <constantine110 protonmail com> wrote:
>
> > To whom it may concern,
> > As a vulnerability analyst, I found a misconfiguration issue in your 
> > web server that could allows remote attackers to take down your 
> > website in less than 7 seconds.
> > Details:
> > ###############
> > #Type of Attack: Slow Read HTTP Attack
> > #Author: Hosein Askari
> > #Date: January 25, 2019
> > #Third party evidence:
> >
> > http://www.site24x7.com/public/t/results-1548400100206.html
> > #Description: Attacker establishes a connection to the server and 
> > sends an appropriate HTTP request and reads the response at a very 
> > slow speed. After the attack, a lot of processes remain busy for a 
> > long time and the server can not response to any requests.
> > #Tools:
> > https://github.com/shekyan/slowhttptest/
> > #Parameters for reproducing:
> > slowhttptest -c 14000 -X -i 20 -r 7000 -t GET -u 
> > https://www.gnome.org/  -x 4   -z 1000  -p 2 -k 10 -l 100000
> > #Mitigation:
> > https://gist.github.com/nielsvanderbeke/8997399
> > #########
> > Would you please let me know about your policy, Could I have any 
> > acknowledgement(usable in CV) from your precious team after fixing 
> > the issue?
> > I am looking forward to hearing from you in the earliest convenience.
> > Yours Faithfully.
> > Hosein Askari