Recent Apache DOS advisory - problem applying the SetEnvIf/ RequestHeader workaround.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

so one of the mitigations for this advisory was:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0 and 2.2)


          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.

          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Now when I add this to my httpd.conf:
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

</IfModule>


I get this error when restarting Apache:
"Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration"


The SetEvnIf module seems to be loaded.

What is wrong with that parameter?

TIA!
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux