httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
Date Wed, 24 Aug 2011 13:30:34 GMT
On Wed, Aug 24, 2011 at 9:29 AM, Eric Covener <covener@gmail.com> wrote:
> On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener <covener@gmail.com> wrote:
>>> *       Is this the right list (and order) of the mitigations - or should
ReWrite be first ?
>> FWIW I don't like rewrite first because it's so unruly with being
>> defined once per vhost + main server + RewriteEngine on.
>>
>> I like RequestHeader simplicity, and could be combined with SetEnvIf
>> to only zap long malicious looking headers.
>>
> e.g.
>
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
> CustomLog logs/range.log "%r %{Range}i %{bad-range}e"
>
>  printf "GET / HTTP/1.1\r\nHost:
> localhost\r\nRange:bytes=0-1,2-3,4-5,5-6,7-9,10-12,11-99,44\r\n\r\n" |
> nc localhost 80
>
>  GET / HTTP/1.1 - 1
>
> printf "GET / HTTP/1.1\r\nHost:
> localhost\r\nRange:bytes=0-1,2-3,4-5\r\n\r\n" | nc localhost 80
> GET / HTTP/1.1 bytes=0-1,2-3,4-5 -
>

Or more like Ruedigers:

SetEnvIf Range (,[^,]*){5,} bad-range=1

Mime
View raw message