[svlug] Heads up: Bad remote DoS for current Apache httpd

Rick Moen rick at linuxmafia.com
Fri Aug 26 14:41:14 PDT 2011


I wrote:

> And then adding the following to /etc/apache2/httpd.conf

On reflection, it's actually better/cleaner to put it in new file
/etc/apache2/conf.d/CVE-2011-3192 .  

> and then restarting Apache:
> 
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
> # optional logging.
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range

Update:  It's been pointed out on the debian-security mailing list that
Apache httpd _also_ accepts keyword 'Range-Request' for the byte-range
function, in addtion to 'Range'.  Thus, that keyword needs to be
corraled, too, requiring two additional lines.  Revised conffile snippet:


# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
SetEnvIf Request-Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
RequestHeader unset Request-Range env=bad-range

# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range




(If Apache chokes on these addtions at startup, you need to do 
'a2enmod headers' to enable the necessary module.)





More information about the svlug mailing list