httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)
Date Wed, 24 Aug 2011 13:29:23 GMT
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener <covener@gmail.com> wrote:
>> *       Is this the right list (and order) of the mitigations - or should ReWrite
be first ?
> FWIW I don't like rewrite first because it's so unruly with being
> defined once per vhost + main server + RewriteEngine on.
>
> I like RequestHeader simplicity, and could be combined with SetEnvIf
> to only zap long malicious looking headers.
>
e.g.

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
CustomLog logs/range.log "%r %{Range}i %{bad-range}e"

 printf "GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5,5-6,7-9,10-12,11-99,44\r\n\r\n" |
nc localhost 80

 GET / HTTP/1.1 - 1

printf "GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5\r\n\r\n" | nc localhost 80
GET / HTTP/1.1 bytes=0-1,2-3,4-5 -








-- 
Eric Covener
covener@gmail.com

Mime
View raw message