Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apache byte range vulnerability script

From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 29 Dec 2011 20:16:42 +0100
On Thu, Dec 29, 2011 at 8:10 PM, Duarte Silva
<duarte.silva () serializing me>wrote:


On Monday 19 December 2011 18:56:25 Gillman, Joel - SAINT CORPORATION
wrote:

Hello --

I'd like to contribute a fix related to the Apache byte range
vulnerability detection script at
http://nmap.org/svn/scripts/http-vuln-cve2011-3192.nse .

The current script submits a range request of eleven individual
byte ranges, short and not overlapping, with the comment that eleven
is "one more than allowed".  This method may detect one of the early
vulnerability work-around configurations, but I don't believe it
reliably detects the (fixed) Apache versions 2.2.20 or 2.2.21 --
first, because I've found no mention of a limit of ten ranges in
connection with the Apache 2.2.20 or .21 releases, and second,
because a simple test against a running Apache 2.2.20 server did
not show that behavior.

Instead, I would suggest this change:
    "bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"
becomes
    "bytes=0-,1-,2-"

This requests more content than is present at the original URL,
regardless of the length of that content, and so should trigger
consolidation of three ranges (with response code 206) into
one range of the entire URL contents (with response code 200).
Apache's (subtle) reference to this behavior is in section "Caveats"
of http://httpd.apache.org/security/CVE-2011-3192.txt .

I hope this contribution is useful.  :)


Hello Gillman,

thanks for the contribution :) and sory for the late reply. Anyway, I will
be
doing some testing and if everything works out, I will give my ok to Patrik
for commit.

Regards,
Duarte Silva



Thanks Duarte, much appreciated.

//Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: