Re: Grave apache dos possible through byterange requests

Thomas Hungenberg Sun, 28 Aug 2011 13:34:11 -0700

Carlos Alberto Lopez Perez wrote:
> The new advisory [1] recommends this:
> 
>          # Drop the Range header when more than 5 ranges.
>          # CVE-2011-3192
>          SetEnvIf Range (?:,.*?){5,5} bad-range=1
>          RequestHeader unset Range env=bad-range
> 
>          # We always drop Request-Range; as this is a legacy
>          # dating back to MSIE3 and Netscape 2 and 3.
>          RequestHeader unset Request-Range
> 
>          # optional logging.
>          CustomLog /var/log/apache2/range-CVE-2011-3192.log common 
> env=bad-range
>          CustomLog /var/log/apache2/range-CVE-2011-3192.log common 
> env=bad-req-range


What's the use of the second CustomLog line?
'bad-req-range' is never set, is it?

  - Thomas


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e5aa494.8030...@demonium.de

Re: Grave apache dos possible through byterange requests

Reply via email to