Re: VOTES please -- CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (Final-6)

Greg Ames Wed, 24 Aug 2011 08:23:58 -0700

On Wed, Aug 24, 2011 at 10:56 AM, Dirk-Willem van Gulik <
[email protected]> wrote:


+1 with Eric's edits. specifically,

>
> 1) Use mod_rewrite to limit the number of ranges:
>

Option 1 doesn't use mod_rewrite.

  Option 1:
>          # drop Range header when more than 5 ranges.
>          # CVE-2011-3192
>          SetEnvIf Range (,.*?){5,} bad-range=1
>          RequestHeader unset Range env=bad-range
>
>          # optional logging.
>          CustomLog logs/range-CVE-2011-3192.log common env=bad-range
>

Greg

Re: VOTES please -- CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (Final-6)

Reply via email to