On September 27, 2011 12:50 , Steve Foster <stephenfoster1...@gmail.com>
wrote:
anyone? cheers..
On Wed, Aug 31, 2011 at 5:31 PM, Steve Foster
<stephenfoster1...@gmail.com <mailto:stephenfoster1...@gmail.com>>
wrote:
i've also had a thought, I also implemented the following:
LimitRequestLine 4000
Which is about half of the default size i beleive, could this
be limiting the impact on my servers and thus not making them
vulnerable.
Does anyone know what length of request the killapache script
sends?
In my opinion, you should defend against the vulnerability rather than
trying to defend against a particular script that implements an exploit
for the vulnerability.
The best course of action is to upgrade Apache HTTP Server to a version
that does not have the vulnerability. If this is not possible in your
situation, implement one of the workarounds described in the
"Mitigation" section of the advisory:
https://httpd.apache.org/security/CVE-2011-3192.txt
In any event, the documentation for the LimitRequestLine directive (
https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline ) says:
The |LimitRequestLine| directive allows the server administrator to
reduce or increase the limit on the allowed size of a client's HTTP
request-line. Since the request-line consists of the HTTP method, URI,
and protocol version, the |LimitRequestLine| directive places a
restriction on the length of a request-URI allowed for a request on
the server. A server needs this value to be large enough to hold any
of its resource names, including any information that might be passed
in the query part of a |GET| request.
The killapache.pl script generates request lines that are only 15
characters long ("HEAD / HTTP/1.1"). The killapache.pl script does send
long range headers (approximately 8,000 bytes), but headers are not part
of the request line. So using the LimitRequestLine directive won't
defend against the vulnerability.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org