WebGUI - Apache DOS - Content Management System | CMS | Open Source Content Management | Web Application Framework | Perl

WebGUI - Web done right

plainblack.com

Username Password

Click here to register. | View Cart (0)

Home Features Download Partners Community Blog

search

Community Support
WebGUI User Guides
Wiki
Forums
Report A Bug
Request Features
WebGUI 8
WebGUI TV
Add-ons and Plug-ins
Service Providers
webGUI in the news
Karma
API Docs
the people behind wg
webgui worldwide
Mascot
wallpapers
powered by icons
Sightings

Apache DOS
User	pvanthony
Date	8/26/2011 10:20 pm
Views	392
Rating	0 Rate [ \| ]

Previous · Next
User	Message
pvanthony	Date: 8/26/2011 10:20 pm · Subject: Apache DOS · Rating: 0 Hi, Hope this is the correct forum to post this. Saw this advisory on Apache at, http://article.gmane.org/gmane.comp.apache.announce/59 Would copying the following code to every site mod_proxy conf solve the issue? Option 1: (Apache 2.2) # Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (?:,.?){5,5} bad-range=1 RequestHeader unset Range env=bad-range # We always drop Request-Range; as this is a legacy # dating back to MSIE3 and Netscape 2 and 3. RequestHeader unset Request-Range # optional logging. CustomLog logs/range-CVE-2011-3192.log common env=bad-range CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range Or should I use option 2 Option 2: (Pre 2.2 and 1.3) # Reject request when more than 5 ranges in the Range: header. # CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$\|^$) # RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$\|^$) RewriteRule . - [F] # We always drop Request-Range; as this is a legacy # dating back to MSIE3 and Netscape 2 and 3. RequestHeader unset Request-Range Need advice on how to prevent this denial of service threat. P.V.Anthony
Back to Top	Rate [ \| ]

perlDreamer	Date: 9/1/2011 1:13 pm · Subject: Re: Apache DOS · Rating: 0 According to the vulnerability disclosure, either solution will address the problem. You should be able to choose either, because mod_rewrite is enabled on your mod_proxy instance. We do not use the language modules, or mod_cache. WebGUI 8 will not suffer from this problem, because our preferred server will not be apache. Instead, we'll use one of the plack servers.
Back to Top	Rate [ \| ]

Trex	Date: 9/2/2011 11:52 am · Subject: Re: Apache DOS · Rating: 0 WebGUI 8 will not suffer from this problem, because our preferred server will not be apache. Instead, we'll use one of the plack servers. For those of us who make frequent use of Apache rewrite rules, are there similar plack tools to perform the same tasks? Just off the top of my head, I've used rewrite rules in mod_proxy to divert traffic off to legacy PHP tools, to redirect users from old systems/urls to new ones, and as additional security layers by preventing certain traffic from getting through. I'm curious about the improvements plack might bring, but I'm also worried about the learning curve to figure out how to replciate all these behaviors in a new system.
Back to Top	Rate [ \| ]

pvanthony	Date: 9/3/2011 7:01 am · Subject: Re: Apache DOS · Rating: 0 According to the vulnerability disclosure, either solution will address the problem. You should be able to choose either, because mod_rewrite is enabled on your mod_proxy instance. We do not use the language modules, or mod_cache. Thank you for the reply. P.V.Anthony
Back to Top	Rate [ \| ]

© 2012 Plain Black Corporation | All Rights Reserved