Re: [users@httpd] Which module is affected by the Range header issue?

[Mark Montague]

On September 27, 2011 12:50 , Steve Foster <stephenfoster1...@gmail.com> 
wrote:
anyone? cheers..

    On Wed, Aug 31, 2011 at 5:31 PM, Steve Foster
    <stephenfoster1...@gmail.com <mailto:stephenfoster1...@gmail.com>>
    wrote:

        i've also had a thought, I also implemented the following:
        LimitRequestLine 4000
        Which is about half of the default size i beleive, could this
        be limiting the impact on my servers and thus not making them
        vulnerable.
        Does anyone know what length of request the killapache script
        sends?


In my opinion, you should defend against the vulnerability rather than 
trying to defend against a particular script that implements an exploit 
for the vulnerability.

The best course of action is to upgrade Apache HTTP Server to a version 
that does not have the vulnerability.  If this is not possible in your 
situation, implement one of the workarounds described in the 
"Mitigation" section of the advisory:  
https://httpd.apache.org/security/CVE-2011-3192.txt

In any event, the documentation for the LimitRequestLine directive ( 
https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline ) says:
The |LimitRequestLine| directive allows the server administrator to 
reduce or increase the limit on the allowed size of a client's HTTP 
request-line. Since the request-line consists of the HTTP method, URI, 
and protocol version, the |LimitRequestLine| directive places a 
restriction on the length of a request-URI allowed for a request on 
the server. A server needs this value to be large enough to hold any 
of its resource names, including any information that might be passed 
in the query part of a |GET| request.

The killapache.pl script generates request lines that are only 15 
characters long ("HEAD / HTTP/1.1").  The killapache.pl script does send 
long range headers (approximately 8,000 bytes), but headers are not part 
of the request line.  So using the LimitRequestLine directive won't 
defend against the vulnerability.

--
  Mark Montague
  m...@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org