To reproduce: ------------- send a valid POST request to your ISAPI dll start fiddler2 and copy the request to the 'Request Builder' go to 'Request Builder'->'Options' and untick 'Fix Content-Length header' go to 'Request Builder'->'Parsed' and manually change the 'Content-Length:' to 1 now press execute a few times fast, in my test Apache crashes after 1-10 clicks Reason: ------- when the post command is tampered with as above, the call to ap_get_client_block in isapi_handler (sometimes?) fails. as a result the isapi dll is unloaded - this is dangerous !! other threads processing other requests have already acquired the pointer to the dll function and now try to call it with the dll not in memory which crashes apache. Solution: --------- there is no reason to unload the isapi dll in isapi_handler, it is dagerous and does not provide any benefit. In mod_isapi.c I have remarked all (2) calls to isapi_unload and left only the one in cleanup_isapi which if I understand correctly only gets called when Apache exits (although I think it can be removed as well). In testing this solves the issue. Security -------- I can't see how a hacker can manipulate the address pointer but it's still a fact that the server tries to jump to an invalid function pointer.
Fixed in version 2.2.15