Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: darz82 on August 27, 2011, 05:43:42 AM

Title: Apache Killer tool
Post by: darz82 on August 27, 2011, 05:43:42 AM

Just thought I'd update everyone on an apache security flaw.

http://www.h-online.com/security/news/item/Tool-causes-Apache-web-server-to-freeze-Update-1330105.html
http://seclists.org/fulldisclosure/2011/Aug/175

Apache 2.0 is vulnerable from what I've seen, hopefully there will be a centos update soon.

In the mean time here's a temporary solution link.
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser

I think you just add the following three lines to each virtualhost in your httpd.conf

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]

You'll need to restart apache after doing this.

regards

Title: Re: Apache Killer tool
Post by: mmccarn on August 27, 2011, 03:24:48 PM

It looks like this can be done as follows:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
echo '{
    $OUT =<<'HERE';
    #CVE-2011-3192
    RewriteCond %{HTTP:Range} bytes=0-.* [NC]
    RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]
HERE
}' > 26aCVE-2011-3192
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith

Also, I've opened a bug outlining a way to implement the mod_headers work-around: http://bugs.contribs.org/show_bug.cgi?id=6709

Title: Re: Apache Killer tool
Post by: CharlieBrady on August 27, 2011, 05:09:12 PM

Mike's workaround doesn't appear sufficient, base on this:

https://threatpost.com/en_us/blogs/apache-plans-range-header-bug-fix-next-day-082611

We need to look at Range-Request header's as well as Range headers.