Apache - disable range requests - disadvantages?
Some applications that make requests to sites directly like to use ranges - I believe Adobe Reader is a good example.
You can grep through your Apache logs looking for 206 partial response codes to see if anyone's actually using ranges for your site.
For a workaround for this exploit, I'd say use the one recommended by Apache, which simply blocks ranges when there's more than 5 sets requested - which should leave any normal range requests unaffected, but block malicious ones:
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
Related videos on Youtube
04 : 33
06 : 06
46 : 55
01 : 38
01 : 22
maff
Updated on September 18, 2022Comments
-
maff almost 2 years
As there is a working exploit against Apache's byte range implementation (CVE-2011-3192, see here), I'd like to disable it until official patches are shipped with my distros (Debian, Ubuntu). The sites are all "normal" websites without big downloads. Are there any disadvantages in disabling the feature besides downloads that can't be resumed?
PS.: I'm disabling the feature by enabling
mod_headersand unsetting the range header using the following line:RequestHeader unset Range -
osgx almost 13 yearsIs SetEnvIf good for apache 1.3? How can I protect a apache with lot virtual name servers and lot of DocumentRoots?
-
ravi yarlagadda almost 13 years@osgx A different mitigation is recommended for 1.3 - using mod_rewrite to reject the malicious requests outright. See here for the implementation info, under the "mitigation" section.
