httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Micha Lenk <>
Subject CVE-2011-3192 and mod_proxy
Date Tue, 30 Aug 2011 10:56:08 GMT

I've just installed the recent security update (package apache2
2.2.16-6+squeeze2) that Debian just released for fixing CVE-2011-3192. I
made a short test request for a test document with exactly 10 bytes
length and with a header

Range: bytes=0-4,5-9,0-9

to test whether the patch works as expected.

For content that is not proxied, the security fix seems to fix the
issue, i.e. the full document is delivered unchunked as a whole.

But for content that is proxied via mod_proxy_http, the request
including the bad Range: header hits the backend server. So, if the
backend server is also an Apache, which is still vulnerable to
CVE-2011-3192, it would receive malicious Range headers unfiltered.

Is this intended behavior? Couldn't we filter out bad ranges on proxy
request too?

If this is not intended to be fixed, it is maybe a good idea to include
an explicit hint about this behavior in the security advisory.

However, the workaround from earlier announcements using following lines
in the configuration does also work for a proxied request:

# Drop the (Request-)Range header if more than 5 ranges (CVE-2011-3192)
SetEnvIf Range (,.*?){5} bad-range=1
RequestHeader unset Range env=bad-range
SetEnvIf Request-Range (,.*?){5} bad-request-range=1
RequestHeader unset Request-Range env=bad-request-range


View raw message