httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James <ja...@nixsecurity.org>
Subject Re: [users@httpd] Re: Recent Apache DOS advisory - problem applying the SetEnvIf/ RequestHeader workaround.
Date Thu, 25 Aug 2011 01:28:14 GMT
You need to have the module mod_headers enabled. To check if you have the module enabled run
/path/to/httpd -t -D DUMP_MODULES, if you don't see mod_headers, you don't have the module.
You can search Google on how to enable it. However, I've tested the rewrite rules on the 2.X
series and this works just fine. The rewire method requires mod_rewrite.

Tom Sztur <tsztur@gmail.com> wrote:

>Forgot to add version is Apache/2.2.14 .
>
>Link to the advisory is:
>http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser
>
>
>t.
>
>On Wed, Aug 24, 2011 at 9:02 PM, Tom Sztur <tsztur@gmail.com> wrote:
>
>> so one of the mitigations for this advisory was:
>>
>>
>> 1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
>>    either ignore the Range: header or reject the request.
>>
>>    Option 1: (Apache 2.0 and 2.2)
>>
>>           # Drop the Range header when more than 5 ranges.
>>           # CVE-2011-3192
>>           SetEnvIf Range (,.*?){5,} bad-range=1
>>           RequestHeader unset Range env=bad-range
>>
>>           # optional logging.
>>
>>           CustomLog logs/range-CVE-2011-3192.log common env=bad-range
>>
>> Now when I add this to my httpd.conf:
>> <IfModule mod_setenvif.c>
>> # Drop the Range header when more than 5 ranges.
>> # CVE-2011-3192
>>
>> SetEnvIf Range (,.*?){5,} bad-range=1
>> RequestHeader unset Range env=bad-range
>>
>> </IfModule>
>>
>>
>> I get this error when restarting Apache:
>> "Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included
in the server configuration"
>>
>> The SetEvnIf module seems to be loaded.
>>
>> What is wrong with that parameter?
>>
>> TIA!
>>
>>
Mime
View raw message