Re: Apache byte range vulnerability script

[Duarte Silva <duarte.silva () serializing me>]

On Monday 19 December 2011 18:56:25 Gillman, Joel - SAINT CORPORATION wrote:
> Hello --
>
> I'd like to contribute a fix related to the Apache byte range
> vulnerability detection script at
> http://nmap.org/svn/scripts/http-vuln-cve2011-3192.nse .
>
> The current script submits a range request of eleven individual
> byte ranges, short and not overlapping, with the comment that eleven
> is "one more than allowed".  This method may detect one of the early
> vulnerability work-around configurations, but I don't believe it
> reliably detects the (fixed) Apache versions 2.2.20 or 2.2.21 --
> first, because I've found no mention of a limit of ten ranges in
> connection with the Apache 2.2.20 or .21 releases, and second,
> because a simple test against a running Apache 2.2.20 server did
> not show that behavior.
>
> Instead, I would suggest this change:
>     "bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"
> becomes
>     "bytes=0-,1-,2-"
>
> This requests more content than is present at the original URL,
> regardless of the length of that content, and so should trigger
> consolidation of three ranges (with response code 206) into
> one range of the entire URL contents (with response code 200).
> Apache's (subtle) reference to this behavior is in section "Caveats"
> of http://httpd.apache.org/security/CVE-2011-3192.txt .
>
> I hope this contribution is useful.  :)

Hello Gillman,

thanks for the contribution :) and sory for the late reply. Anyway, I will be 
doing some testing and if everything works out, I will give my ok to Patrik 
for commit.

Regards,
Duarte Silva

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/