Full Disclosure mailing list archives

Re: Apache Killer

From: "-= Glowing Sex =-" <doomxd () gmail com>
Date: Wed, 24 Aug 2011 18:24:20 +1000

Ciao davide,
Very nice , thanks for the submittal and thoughts regarding thisissue, all
of it is handy..
Only problem with these patches, unless you look at the advisory/and or
patch and see exactly what needs to be filteed, only then maybe can have a
really tough regex, wich btw would be VERY cool and handy.!
Good line of thinking anyhow. Props.
xd


On 24 August 2011 18:03, Davide Guerri <davide.guerri () gmail com> wrote:

While waiting for an official patch, how about the following workaround?

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]



The workaround uses modrewrite to forbid get|head requests with multiple
ranges in the Range HTTP header.
The second regex could be improved but it works for the exploit released so
far...

Cheers,
 Davide.


On 24/ago/2011, at 08:01, -= Glowing Sex =- wrote:

This is handy to read for anyone who runs apache... its worth a look...

thx kcope ;>

xd


On 24 August 2011 13:26, HI-TECH . <

isowarez.isowarez.isowarez () googlemail com> wrote:

Hello list,
oops looks like this bug has nothing to do with mod_deflate/mod_gzip,
read on here where the apache team is resolving the issue:

http://www.gossamer-threads.com/lists/apache/dev/401638

Cheers,

Kingcope

2011/8/20 Moritz Naumann <security () moritz-naumann com>:

On 20.08.2011 00:23 HI-TECH . wrote:

(see attachment)
/Kingcope


Works (too) well here. Are there any workarounds other than rate
limiting or detecting + dropping the traffic IPS-wise?

Moritz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Apache Killer, (continued)
- - - Re: Apache Killer Dirk-Willem van Gulik (Aug 25)
    - Re: Apache Killer root (Aug 24)
    - Re: Apache Killer Michal Zalewski (Aug 24)
    - Re: Apache Killer root (Aug 24)
    - Re: Apache Killer Dan Kaminsky (Aug 24)
    - Re: Apache Killer root (Aug 24)
    - Re: Apache Killer Dan Kaminsky (Aug 24)
    - Re: Apache Killer root (Aug 25)
    - Re: Apache Killer -= Glowing Sex =- (Aug 23)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer -= Glowing Sex =- (Aug 24)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer Jan Gehring (Aug 24)
    - Re: Apache Killer Jari Fredriksson (Aug 24)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer Jari Fredriksson (Aug 24)
    - Re: Apache Killer ZOne (Aug 25)
    - Re: Apache Killer Marco Ermini (Aug 25)
    - Re: Apache Killer David (Aug 25)
  - Re: Apache Killer Carlos Alberto Lopez Perez (Aug 24)
    - Re: Apache Killer Douglas Huff (Aug 24)

(Thread continues...)