Ping a Specific Port

Question

maff

Asked: 2011-08-26 03:44:01 +0800 CST2011-08-26 03:44:01 +0800 CST 2011-08-26 03:44:01 +0800 CST

Apache - disable range requests - disadvantages?

772

As there is a working exploit against Apache's byte range implementation (CVE-2011-3192, see here), I'd like to disable it until official patches are shipped with my distros (Debian, Ubuntu). The sites are all "normal" websites without big downloads. Are there any disadvantages in disabling the feature besides downloads that can't be resumed?

PS.: I'm disabling the feature by enabling mod_headers and unsetting the range header using the following line:

RequestHeader unset Range

1 Answers

Voted

Shane Madden · Answer 1 · 2011-08-26T08:17:37+08:00

Best Answer

Shane Madden

2011-08-26T08:17:37+08:002011-08-26T08:17:37+08:00

Some applications that make requests to sites directly like to use ranges - I believe Adobe Reader is a good example.

You can grep through your Apache logs looking for 206 partial response codes to see if anyone's actually using ranges for your site.

For a workaround for this exploit, I'd say use the one recommended by Apache, which simply blocks ranges when there's more than 5 sets requested - which should leave any normal range requests unaffected, but block malicious ones:

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

7

Apache - disable range requests - disadvantages?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?