httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pete Houston <...@openstrike.co.uk>
Subject Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and CVE-2011-4415
Date Wed, 21 Dec 2011 18:18:39 GMT
On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote:
> Our server is being flagged for PCI non-compliance because of these
> CVE's but there doesn't appear to be a fix, a workaround or any
> information I can find.

There seem to be 2 obvious workarounds:

1. Don't load mod_setenvif. That's where the problem lies - if the
vulnerable code isn't loaded then your application isn't vulnerable.

2. Don't use .htaccess files. Neither vulnerability can be triggered
if you AllowOverride None. This is good for security anyway and if you
are dealing with PCI related data I'd recommend this regardless of any
issues in the code. It'll also be more efficient.

HTH,

Pete
-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107

Mime
View raw message