On 2011-08-26, at 08:12, Nikolay Kichukov wrote:
Hi,
This one works like charm on my debian stable
LimitRequestFieldSize 200
in the apache2.conf as global directive for all vhosts.
Be cautious about applying this mitigation -- it *will* break applications
which use large cookies. In
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
This one works like charm on my debian stable
LimitRequestFieldSize 200
in the apache2.conf as global directive for all vhosts.
Cheers,
- -Nik
On 08/26/2011 05:56 PM, bodik wrote:
Dne 08/26/11 13:26, bodik napsal(a):
Option 2: (Pre 2.2 and
On 08/24/2011 07:55 PM, Dirk-Willem van Gulik wrote:
Apache HTTPD Security ADVISORY
==
UPDATE 1
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192
Last Change: 20110824 1800Z
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Apache HTTPD Security ADVISORY
==
UPDATE 2
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192
Last Change: 20110826 1030Z
Date:20110824
On 26/08/11 12:35, Dirk-Willem van Gulik wrote:
Apache HTTPD Security ADVISORY
==
UPDATE 2
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192
Last Change: 20110826 1030Z
Date:
Option 2: (Pre 2.2 and 1.3)
# Reject request when more than 5 ranges in the Range: header. #
CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range}
!(bytes=[^,]+(,[^,]+){0,4}$|^$) # RewriteCond %{HTTP:request-range}
!(bytes=[^,]+(?:,[^,]+){0,4}$|^$) RewriteRule .* - [F]
^^ Better use
On 26 Aug 2011, at 12:09, Carlos Alberto Lopez Perez wrote:
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
Because if you don't specify the [OR] apache will
Dne 08/26/11 13:26, bodik napsal(a):
Option 2: (Pre 2.2 and 1.3)
# Reject request when more than 5 ranges in the Range: header. #
CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range}
!(bytes=[^,]+(,[^,]+){0,4}$|^$) # RewriteCond %{HTTP:request-range}
!(bytes=[^,]+(?:,[^,]+){0,4}$|^$)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Apache HTTPD Security ADVISORY
==
UPDATE 1
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192
Last Change: 20110824 1800Z
Date: