httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
Date Wed, 24 Aug 2011 15:08:00 GMT
+1

On Aug 24, 2011, at 10:29 AM, Plüm, Rüdiger, VF-Group wrote:

> 
> 
>> -----Original Message-----
>> From: Eric Covener [mailto:covener@gmail.com] 
>> Sent: Mittwoch, 24. August 2011 15:29
>> To: dev@httpd.apache.org
>> Subject: Re: CVE-2011-3192: Range header DoS vulnerability in 
>> Apache 1.3 and Apache 2 (DRAFT-3)
>> 
>> On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener 
>> <covener@gmail.com> wrote:
>>>> *       Is this the right list (and order) of the 
>> mitigations - or should ReWrite be first ?
>>> FWIW I don't like rewrite first because it's so unruly with being
>>> defined once per vhost + main server + RewriteEngine on.
>>> 
>>> I like RequestHeader simplicity, and could be combined with SetEnvIf
>>> to only zap long malicious looking headers.
>>> 
>> e.g.
>> 
>> SetEnvIf Range (,.*?){5,} bad-range=1
>> RequestHeader unset Range env=bad-range
> 
> Nice one as well. Might be even better then the rewrite rule.
> 
> Regards
> 
> Rüdiger
> 


Mime
View raw message