On 26/08/11 13:22, linbloke wrote:
> Hello,
>
> I'm curious as to why you suggest option 2 over option 1 from the Apache
> advisory? My guess is that it is compatible with version 1.3 and 2.x and
> that is has stronger enforcement of the syntax (by requiring ^bytes=)
> rather than just 5 comma separated fields. Would the following be the
> equivalent update to option 1:
>
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> SetEnvIf Request-Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
> RequestHeader unset Request-Range env=bad-range
>
> # optional logging.
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
>
> I've put that into /etc/apaches/conf.d/CVE-2011-3192
>
> I appreciate that it clobbers both headers if either match but that's ok
> for me. If either match I'd be happier to drop the connection but I
> don't want to touch every virtualhost config and Rewrite rules scare me
> too.
>
>
> Best regards,
> LB
Didn't know the method 1 can be applied outside the vhost, so this is much easier to deploy.
Thanks for the tip!
The new advisory [1] recommends this:
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082427.html
Attachment:
signature.asc
Description: OpenPGP digital signature