On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote: > Our server is being flagged for PCI non-compliance because of these > CVE's but there doesn't appear to be a fix, a workaround or any > information I can find. There seem to be 2 obvious workarounds: 1. Don't load mod_setenvif. That's where the problem lies - if the vulnerable code isn't loaded then your application isn't vulnerable. 2. Don't use .htaccess files. Neither vulnerability can be triggered if you AllowOverride None. This is good for security anyway and if you are dealing with PCI related data I'd recommend this regardless of any issues in the code. It'll also be more efficient. HTH, Pete -- Openstrike - improving business through open source http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Attachment:
pgpK72fpbaJEe.pgp
Description: PGP signature
|