Re: Which module is affected by the Range header issue?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On September 27, 2011 12:50 , Steve Foster <stephenfoster1971@xxxxxxxxx> wrote:
anyone? cheers..


    On Wed, Aug 31, 2011 at 5:31 PM, Steve Foster
    <stephenfoster1971@xxxxxxxxx <mailto:stephenfoster1971@xxxxxxxxx>>
    wrote:

        i've also had a thought, I also implemented the following:
        LimitRequestLine 4000
        Which is about half of the default size i beleive, could this
        be limiting the impact on my servers and thus not making them
        vulnerable.
        Does anyone know what length of request the killapache script
        sends?


In my opinion, you should defend against the vulnerability rather than trying to defend against a particular script that implements an exploit for the vulnerability.

The best course of action is to upgrade Apache HTTP Server to a version that does not have the vulnerability. If this is not possible in your situation, implement one of the workarounds described in the "Mitigation" section of the advisory: https://httpd.apache.org/security/CVE-2011-3192.txt

In any event, the documentation for the LimitRequestLine directive ( https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline ) says:
The |LimitRequestLine| directive allows the server administrator to reduce or increase the limit on the allowed size of a client's HTTP request-line. Since the request-line consists of the HTTP method, URI, and protocol version, the |LimitRequestLine| directive places a restriction on the length of a request-URI allowed for a request on the server. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the query part of a |GET| request.

The killapache.pl script generates request lines that are only 15 characters long ("HEAD / HTTP/1.1"). The killapache.pl script does send long range headers (approximately 8,000 bytes), but headers are not part of the request line. So using the LimitRequestLine directive won't defend against the vulnerability.

--
  Mark Montague
  mark@xxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux