httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <>
Subject Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and CVE-2011-4415
Date Wed, 21 Dec 2011 19:21:59 GMT
On 12/21/2011 1:18 PM, Pete Houston wrote:
> On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote:
>> Our server is being flagged for PCI non-compliance because of these
>> CVE's but there doesn't appear to be a fix, a workaround or any
>> information I can find.
> There seem to be 2 obvious workarounds:
> 1. Don't load mod_setenvif. That's where the problem lies - if the
> vulnerable code isn't loaded then your application isn't vulnerable.
I'm unfortunately using the setenvif to block bad useragents.
> 2. Don't use .htaccess files. Neither vulnerability can be triggered
> if you AllowOverride None. This is good for security anyway and if you
> are dealing with PCI related data I'd recommend this regardless of any
> issues in the code. It'll also be more efficient.
Good points but hard to convince the PCI scanners of these type of 
workarounds in my experience and we have a decent amount of software 
that uses .htaccess files for things like apache DBI in mod_perl.

Plus, they are also flagging us for having +Indexes on /icons (literally 
the default Apache icons).  Like that's a security issue ;-)

Anyway, I am more wondering if 2.2.22 is even on track to address these 
issues.  Or if there are patches for 2.2.X (I found trunk patches but 
they only dealt with some of the CVE and didn't address the 2.2 
branch).  The amount of information available for these CVEs since 
sparse compared to my past experience but perhaps I'm searching incorrectly.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message