LWN: Comments on "Nasty Apache denial of service vulnerability"

Nasty Apache denial of service vulnerability

happynut — Sun, 28 Aug 2011 21:59:12 +0000

The vulnerability was updated. Request-range is vulnerable too:

Nasty Apache denial of service vulnerability

SEJeff — Thu, 25 Aug 2011 18:23:25 +0000

Yup just trying to point it out for the TL;DNR people who are much like myself :)

Nasty Apache denial of service vulnerability

rickmoen — Thu, 25 Aug 2011 18:18:35 +0000

Don't forget to do

a2enmod headers

...or Apache httpd may choke on invalid configuration lines and refuse to start (if the 'headers' module isn't enabled). Rick Moen rick@linuxmafia.com

Nasty Apache denial of service vulnerability

ovitters — Thu, 25 Aug 2011 13:54:30 +0000

I just copied that from this announcement. Yay for Puppet :P

Nasty Apache denial of service vulnerability

SEJeff — Thu, 25 Aug 2011 13:00:01 +0000

Great fix for gnome.org servers from bkor for your apache config:
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

Allows legit range requests to work and kills it after > 5.

Nasty Apache denial of service vulnerability

tialaramex — Thu, 25 Aug 2011 11:02:53 +0000

Let's not get ahead of ourselves, the Apache advisory itself says that some of the POC / test scripts don't actually work on a typical out-of-box install, not because it isn't vulnerable, but because they're making bad assumptions. Real bad guys could fix this, but obviously the Apache team isn't going to spell out how.

If we look at Red Hat's security numbers we see that a significant number of POCs fail out-of-box against RHEL, but a knowledgeable hacker could fix them because RHEL was actually vulnerable. This means you're safer than you might appear to be against script kiddies (who won't know how) but could get a false sense of security if your adversaries are sophisticated. The same probably applies here to Apache on OpenBSD.

Nasty Apache denial of service vulnerability

etrusco — Thu, 25 Aug 2011 07:53:56 +0000

If the fix was intentional and not communicated upstream, I "can't say nothing" for OpenBSD.

Nasty Apache denial of service vulnerability

imgx64 — Thu, 25 Aug 2011 06:19:27 +0000

>Versions: Apache 1.3 all versions

That's not entirely true. It doesn't affect OpenBSD's fork according to http://marc.info/?l=openbsd-misc&m=131424693000610&...

Nasty Apache denial of service vulnerability

Hausvib6 — Thu, 25 Aug 2011 02:02:26 +0000

This vulnerability can be a nice addition to LOIC. Fewer drones, more damages, though it's far easier to mitigate...

Nasty Apache denial of service vulnerability

sjlyall — Thu, 25 Aug 2011 01:20:11 +0000

Amusingly the ad I'm getting next to this story is for "Neoload Web Stress Tool"

Nasty Apache denial of service vulnerability

jonabbey — Wed, 24 Aug 2011 23:21:21 +0000

Note that the killapache.pl script linked from the fulldisclosure forum will report that a server is 'Not Vulnerable' if the '/' resource is provided by PHP, as PHP does not support the Range header.

If such a server provides any image files, though, a URL for an image file can be substituted in the killapache script, whereupon the Range DoS attack will function just fine.

Nasty Apache denial of service vulnerability

jonabbey — Wed, 24 Aug 2011 21:38:51 +0000

This seems remarkably bad. I'm surprised I've not heard more buzz about this on the social networks.