You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steve Foster <st...@gmail.com> on 2011/09/08 19:14:33 UTC
Re: [users@httpd] Which module is affected by the Range header issue?
All,
did anyone have any thoughts or opinions on this?
cheers
Steve
On Wed, Aug 31, 2011 at 5:31 PM, Steve Foster
<st...@gmail.com>wrote:
> i've also had a thought, I also implemented the following:
>
> LimitRequestLine 4000
>
> Which is about half of the default size i beleive, could this be limiting
> the impact on my servers and thus not making them vulnerable.
>
> Does anyone know what length of request the killapache script sends?
>
> cheers
>
> Steve
>
Re: [users@httpd] Which module is affected by the Range header issue?
Posted by Mark Montague <ma...@catseye.org>.
On September 27, 2011 12:50 , Steve Foster <st...@gmail.com>
wrote:
> anyone? cheers..
>
>
> On Wed, Aug 31, 2011 at 5:31 PM, Steve Foster
> <stephenfoster1971@gmail.com <ma...@gmail.com>>
> wrote:
>
> i've also had a thought, I also implemented the following:
> LimitRequestLine 4000
> Which is about half of the default size i beleive, could this
> be limiting the impact on my servers and thus not making them
> vulnerable.
> Does anyone know what length of request the killapache script
> sends?
>
In my opinion, you should defend against the vulnerability rather than
trying to defend against a particular script that implements an exploit
for the vulnerability.
The best course of action is to upgrade Apache HTTP Server to a version
that does not have the vulnerability. If this is not possible in your
situation, implement one of the workarounds described in the
"Mitigation" section of the advisory:
https://httpd.apache.org/security/CVE-2011-3192.txt
In any event, the documentation for the LimitRequestLine directive (
https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline ) says:
> The |LimitRequestLine| directive allows the server administrator to
> reduce or increase the limit on the allowed size of a client's HTTP
> request-line. Since the request-line consists of the HTTP method, URI,
> and protocol version, the |LimitRequestLine| directive places a
> restriction on the length of a request-URI allowed for a request on
> the server. A server needs this value to be large enough to hold any
> of its resource names, including any information that might be passed
> in the query part of a |GET| request.
The killapache.pl script generates request lines that are only 15
characters long ("HEAD / HTTP/1.1"). The killapache.pl script does send
long range headers (approximately 8,000 bytes), but headers are not part
of the request line. So using the LimitRequestLine directive won't
defend against the vulnerability.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Which module is affected by the Range header issue?
Posted by Steve Foster <st...@gmail.com>.
anyone? cheers..
On Thu, Sep 8, 2011 at 6:14 PM, Steve Foster <st...@gmail.com>wrote:
> All,
>
> did anyone have any thoughts or opinions on this?
>
> cheers
>
> Steve
>
> On Wed, Aug 31, 2011 at 5:31 PM, Steve Foster <
> stephenfoster1971@gmail.com> wrote:
>
>> i've also had a thought, I also implemented the following:
>>
>> LimitRequestLine 4000
>>
>> Which is about half of the default size i beleive, could this be limiting
>> the impact on my servers and thus not making them vulnerable.
>>
>> Does anyone know what length of request the killapache script sends?
>>
>> cheers
>>
>> Steve
>>
>