Re: Grave apache dos possible through byterange requests

To: debian-security@lists.debian.org
Subject: Re: Grave apache dos possible through byterange requests
From: Carlos Alberto Lopez Perez <clopez@igalia.com>
Date: Wed, 24 Aug 2011 14:52:03 +0200
Message-id: <[🔎] 4E54F3F3.70608@igalia.com>
In-reply-to: <[🔎] 4E54CEDB.6050906@igalia.com>
References: <[🔎] CAEPFx+p6u0qUXYsxD9qfDOUFhPbMAcuqutydc+x5P0OhO5=1wg@mail.gmail.com> <[🔎] 4E54CEDB.6050906@igalia.com>

On 24/08/11 12:13, Carlos Alberto Lopez Perez wrote:
> You can use the following redirect as a temporally workaround:
> 
> # a2enmod rewrite
> 
> RewriteEngine On
> RewriteCond %{HTTP:Range} bytes=0-.* [NC]
> RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]
> 

Sorry, the above redirect is wrong. It won't work if the attacker
changes bytes=0 to bytes=1 for example in the perl exploit. Also it only
blocks the check that the exploit uses to see if the server is
vulnerable, but not the range requests that is where the real problem is.

Please use the following one instead (suggested at full-disclosure[1]):

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

--------
[1]
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082365.html

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Grave apache dos possible through byterange requests
  - From: Dirk Hartmann <dha@morticah.net>
- Re: Grave apache dos possible through byterange requests
  - From: Carlos Alberto Lopez Perez <clopez@igalia.com>

Prev by Date: Re: Grave apache dos possible through byterange requests
Next by Date: Re: Grave apache dos possible through byterange requests
Previous by thread: Re: Grave apache dos possible through byterange requests
Next by thread: Re: Grave apache dos possible through byterange requests
Index(es):
- Date
- Thread