Re: Recent Apache DOS advisory - problem applying the SetEnvIf/ RequestHeader workaround.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Forgot to add version is Apache/2.2.14 .

Link to the advisory is: http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser


t.

On Wed, Aug 24, 2011 at 9:02 PM, Tom Sztur <tsztur@xxxxxxxxx> wrote:
so one of the mitigations for this advisory was:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0 and 2.2)



          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.


          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Now when I add this to my httpd.conf:
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192


SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

</IfModule>


I get this error when restarting Apache:
"Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration"



The SetEvnIf module seems to be loaded.

What is wrong with that parameter?

TIA!

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux