lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4E57B7CB.2080404@oldum.net> Date: Fri, 26 Aug 2011 18:12:11 +0300 From: Nikolay Kichukov <hijacker@...um.net> To: bodik <bodik@....zcu.cz> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, This one works like charm on my debian stable LimitRequestFieldSize 200 in the apache2.conf as global directive for all vhosts. Cheers, - -Nik On 08/26/2011 05:56 PM, bodik wrote: > Dne 08/26/11 13:26, bodik napsal(a): >> >>>> Option 2: (Pre 2.2 and 1.3) >>>> >>>> # Reject request when more than 5 ranges in the Range: header. # >>>> CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range} >>>> !(bytes=[^,]+(,[^,]+){0,4}$|^$) # RewriteCond %{HTTP:request-range} >>>> !(bytes=[^,]+(?:,[^,]+){0,4}$|^$) RewriteRule .* - [F] >>> ^^ Better use this: >>> >>> RewriteEngine on RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) >>> [NC,OR] RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) >>> [NC] RewriteRule .* - [F] >>> >> >> in any case, i found very wierd behavior on some of our webservers. as we >> applied the first version of workaround, something about 15% of our webpages >> seems to be broken, but the rest of virtual hosts were working fine. > > because of messing with Options FollowSymLinks or SymLinksIfOwnerMatch and > mod_rewrite i have to implement other workaround .. > > b > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOV7fKAAoJEDFLYVOGGjgXniQH/jQoeD+vKAT1D+PdCijthhNA Svjhvyl801n/b+ggJvLq6HclMZKacThcuVqtyb+ehf1b+3D9XMeMtieze0sC2Qnt GAuBKSUI+b7QRSJETjncBqKeVu7RpeeKeKI3aotqXtNTknP+S0McKpPKUYEM591K iaam/DkmzTob6Ey2J0anQs+58yCqLqEusoojqIy4T8Ql48EDoE/TnSZphA3BGGpC rZ/r0Hv49SJkTWIwY03+epYDTuIq8+LK9flEkSsKC4OqFkZagx7MEjyDv1Xztj0K 8hsC+iC9k+RCKdAnQVPiJ/CaKgUbNeghuX/bIxCm0edjLFUhootlf7ie8dvnxbs= =LO33 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists