4

As there is a working exploit against Apache's byte range implementation (CVE-2011-3192, see here), I'd like to disable it until official patches are shipped with my distros (Debian, Ubuntu). The sites are all "normal" websites without big downloads. Are there any disadvantages in disabling the feature besides downloads that can't be resumed?

PS.: I'm disabling the feature by enabling mod_headers and unsetting the range header using the following line:

RequestHeader unset Range
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
maff
  • 311
  • 1
  • 4
  • 14

1 Answers1

7

Some applications that make requests to sites directly like to use ranges - I believe Adobe Reader is a good example.

You can grep through your Apache logs looking for 206 partial response codes to see if anyone's actually using ranges for your site.

For a workaround for this exploit, I'd say use the one recommended by Apache, which simply blocks ranges when there's more than 5 sets requested - which should leave any normal range requests unaffected, but block malicious ones:

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Is SetEnvIf good for apache 1.3? How can I protect a apache with lot virtual name servers and lot of DocumentRoots? – osgx Aug 26 '11 at 22:40
  • 2
    @osgx A different mitigation is recommended for 1.3 - using mod_rewrite to reject the malicious requests outright. See [here](http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/raw/%3C20110824161640.122D387DD@minotaur.apache.org%3E) for the implementation info, under the "mitigation" section. – Shane Madden Aug 26 '11 at 22:47