LWN: Comments on "An updated Apache DOS advisory"

An updated Apache DOS advisory

frumious — Wed, 31 Aug 2011 03:09:19 +0000

2.2.20 is out - https://www.apache.org/dist/httpd/Announcement2.2.html

The main download page still shows 2.2.19, but you can find 2.2.20 on the mirror sites if you get a directory index.

How to check, whether a host is vulnerable?

tialaramex — Fri, 26 Aug 2011 23:28:02 +0000

If you know its possible to issue Range requests against your server, it's vulnerable.

If you know for sure it's _not_ possible to issue such requests (e.g. they will definitely always result in an error) then it's not vulnerable.

If you're not sure, the former is far more likely than the latter, lots of things might allow Range requests, and it only takes one.

The "killapache.pl" script requires that the remote server is willing to compress data with gzip/ deflate. This is completely tangential to the actual problem, and so the script is largely useless as a "test tool".

How to check, whether a host is vulnerable?

debacle — Fri, 26 Aug 2011 20:36:21 +0000

I tried pointing the killapache.pl gun against all my Apaches and it always says "Host does not seem vulnerable". I'm not yet tranquilised.

An updated Apache DOS advisory

cesarb — Fri, 26 Aug 2011 19:01:49 +0000

As to

> Should the regexp not be (?:,.*?){5,} instead of (?:,.*?){5,5} so that it matches 5 or more ranges and not just exactly 5?

It depends on whether the regex is anchored or not. If it is not anchored to the start and the end of the string, it will match on any sequence of exactly 5 ranges within the header, even if it has more.[*]

From the examples at https://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#s..., it seems the regex is not anchored (some of the examples there anchor it explicitly).

[*] Actually, if I am reading it right, it should match whenever there are at least _6_ ranges, since it will ignore the first one because it is not preceded by a comma.

An updated Apache DOS advisory

dskoll — Fri, 26 Aug 2011 18:54:37 +0000

Should the regexp not be (?:,.*?){5,} instead of (?:,.*?){5,5} so that it matches 5 or more ranges and not just exactly 5?

No. The expression is not anchored, so you might as well quit after 5. {5,5} (or better {5}) is faster than {5,}

An updated Apache DOS advisory

cesarb — Fri, 26 Aug 2011 18:50:39 +0000

> I can't believe they would get that wrong

I can. They are under quite a lot of time pressure, and due to the importance of httpd, they have to get the definitive fix right. And for this bug, it is not a simple one-liner.

Take a look at https://mail-archives.apache.org/mod_mbox/httpd-dev/20110..., where both the fix and these advisories are being developed, and note the amount of email exchanged over this issue on the last couple of days. From a quick look, the amount of messages about this issue is around double the amount of messages for the rest of the month.

> Isn't there a env=bad-req-range missing at the end of "RequestHeader unset Request-Range" because the second logging rule needs it?

No, they meant to always remove the obsolete Request-Range header. Instead, what is missing is the SetEnvIf which would set that variable for the logging rule to use.

An updated Apache DOS advisory

nkiesel — Fri, 26 Aug 2011 18:31:39 +0000

I can't believe they would get that wrong, so please tell my why the following two issues with option 1 are not problematic:

1) Should the regexp not be (?:,.*?){5,} instead of (?:,.*?){5,5} so that it matches 5 or more ranges and not just exactly 5?

2) Isn't there a env=bad-req-range missing at the end of "RequestHeader unset Request-Range" because the second logging rule needs it?

</nk>