Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-29 Thread Andrew Farmer
On 2011-08-26, at 08:12, Nikolay Kichukov wrote: Hi, This one works like charm on my debian stable LimitRequestFieldSize 200 in the apache2.conf as global directive for all vhosts. Be cautious about applying this mitigation -- it *will* break applications which use large cookies. In

Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-27 Thread Nikolay Kichukov
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, This one works like charm on my debian stable LimitRequestFieldSize 200 in the apache2.conf as global directive for all vhosts. Cheers, - -Nik On 08/26/2011 05:56 PM, bodik wrote: Dne 08/26/11 13:26, bodik napsal(a): Option 2: (Pre 2.2 and

Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-26 Thread Anestis Bechtsoudis
On 08/24/2011 07:55 PM, Dirk-Willem van Gulik wrote: Apache HTTPD Security ADVISORY == UPDATE 1 Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x CVE: CVE-2011-3192 Last Change: 20110824 1800Z

[Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-26 Thread Dirk-Willem van Gulik
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Apache HTTPD Security ADVISORY == UPDATE 2 Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x CVE: CVE-2011-3192 Last Change: 20110826 1030Z Date:20110824

Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-26 Thread Carlos Alberto Lopez Perez
On 26/08/11 12:35, Dirk-Willem van Gulik wrote: Apache HTTPD Security ADVISORY == UPDATE 2 Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x CVE: CVE-2011-3192 Last Change: 20110826 1030Z Date:

Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-26 Thread bodik
Option 2: (Pre 2.2 and 1.3) # Reject request when more than 5 ranges in the Range: header. # CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) # RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$|^$) RewriteRule .* - [F] ^^ Better use

Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-26 Thread Dirk-Willem van Gulik
On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote: RewriteEngine on RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR] RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC] RewriteRule .* - [F] Because if you don't specify the [OR] apache will

Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-26 Thread bodik
Dne 08/26/11 13:26, bodik napsal(a): Option 2: (Pre 2.2 and 1.3) # Reject request when more than 5 ranges in the Range: header. # CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) # RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$|^$)

[Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

2011-08-25 Thread Dirk-Willem van Gulik
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Apache HTTPD Security ADVISORY == UPDATE 1 Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x CVE: CVE-2011-3192 Last Change: 20110824 1800Z Date: