httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Sztur <tsz...@gmail.com>
Subject [users@httpd] Recent Apache DOS advisory - problem applying the SetEnvIf/ RequestHeader workaround.
Date Thu, 25 Aug 2011 01:02:11 GMT
so one of the mitigations for this advisory was:


1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0 and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Now when I add this to my httpd.conf:
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

</IfModule>


I get this error when restarting Apache:
"Invalid command 'RequestHeader', perhaps misspelled or defined by a
module not included in the server configuration"

The SetEvnIf module seems to be loaded.

What is wrong with that parameter?

TIA!

Mime
View raw message