Nmap Development mailing list archives
Re: Apache byte range vulnerability script
From: Duarte Silva <duarte.silva () serializing me>
Date: Thu, 29 Dec 2011 19:10:34 +0000
On Monday 19 December 2011 18:56:25 Gillman, Joel - SAINT CORPORATION wrote:
Hello -- I'd like to contribute a fix related to the Apache byte range vulnerability detection script at http://nmap.org/svn/scripts/http-vuln-cve2011-3192.nse . The current script submits a range request of eleven individual byte ranges, short and not overlapping, with the comment that eleven is "one more than allowed". This method may detect one of the early vulnerability work-around configurations, but I don't believe it reliably detects the (fixed) Apache versions 2.2.20 or 2.2.21 -- first, because I've found no mention of a limit of ten ranges in connection with the Apache 2.2.20 or .21 releases, and second, because a simple test against a running Apache 2.2.20 server did not show that behavior. Instead, I would suggest this change: "bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10" becomes "bytes=0-,1-,2-" This requests more content than is present at the original URL, regardless of the length of that content, and so should trigger consolidation of three ranges (with response code 206) into one range of the entire URL contents (with response code 200). Apache's (subtle) reference to this behavior is in section "Caveats" of http://httpd.apache.org/security/CVE-2011-3192.txt . I hope this contribution is useful. :)
Hello Gillman, thanks for the contribution :) and sory for the late reply. Anyway, I will be doing some testing and if everything works out, I will give my ok to Patrik for commit. Regards, Duarte Silva
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Apache byte range vulnerability script Gillman, Joel - SAINT CORPORATION (Dec 19)
- Re: Apache byte range vulnerability script Duarte Silva (Dec 29)
- Re: Apache byte range vulnerability script Patrik Karlsson (Dec 29)
- Re: Apache byte range vulnerability script Duarte Silva (Dec 29)