Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 338837C0A for ; Wed, 21 Dec 2011 19:22:32 +0000 (UTC) Received: (qmail 38380 invoked by uid 500); 21 Dec 2011 19:22:29 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 38346 invoked by uid 500); 21 Dec 2011 19:22:29 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 38338 invoked by uid 99); 21 Dec 2011 19:22:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Dec 2011 19:22:29 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of KMcGrail@pccc.com designates 38.124.232.10 as permitted sender) Received: from [38.124.232.10] (HELO intel1.peregrinehw.com) (38.124.232.10) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Dec 2011 19:22:20 +0000 Received: from [10.10.10.124] (firewall.pccc.com [71.163.15.130]) by intel1.peregrinehw.com (8.14.5/8.14.5) with ESMTP id pBLJLxMt007484 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 21 Dec 2011 14:21:59 -0500 Message-ID: <4EF231D7.9090809@PCCC.com> Date: Wed, 21 Dec 2011 14:21:59 -0500 From: "Kevin A. McGrail" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: users@httpd.apache.org CC: Pete Houston References: <4EF21A6A.4090005@PCCC.com> <20111221181839.GL2156@palma.openstrike.co.uk> In-Reply-To: <20111221181839.GL2156@palma.openstrike.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authorized-User: 71.163.15.130 X-KAM-Reverse-AUTH: Exempt - 71.163.15.130 is an Authorized Sender X-Scanned-By: MIMEDefang 2.72 on 38.124.232.10 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and CVE-2011-4415 On 12/21/2011 1:18 PM, Pete Houston wrote: > On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote: >> Our server is being flagged for PCI non-compliance because of these >> CVE's but there doesn't appear to be a fix, a workaround or any >> information I can find. > There seem to be 2 obvious workarounds: > > 1. Don't load mod_setenvif. That's where the problem lies - if the > vulnerable code isn't loaded then your application isn't vulnerable. I'm unfortunately using the setenvif to block bad useragents. > 2. Don't use .htaccess files. Neither vulnerability can be triggered > if you AllowOverride None. This is good for security anyway and if you > are dealing with PCI related data I'd recommend this regardless of any > issues in the code. It'll also be more efficient. Good points but hard to convince the PCI scanners of these type of workarounds in my experience and we have a decent amount of software that uses .htaccess files for things like apache DBI in mod_perl. Plus, they are also flagging us for having +Indexes on /icons (literally the default Apache icons). Like that's a security issue ;-) Anyway, I am more wondering if 2.2.22 is even on track to address these issues. Or if there are patches for 2.2.X (I found trunk patches but they only dealt with some of the CVE and didn't address the 2.2 branch). The amount of information available for these CVEs since sparse compared to my past experience but perhaps I'm searching incorrectly. regards, KAM --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org