Security – Recent Apache DOS advisory – problem applying the SetEnvIf/ RequestHeader workaround

so one of the mitigations for this advisory was:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)

      # Drop the Range header when more than 5 ranges.
      # CVE-2011-3192
      SetEnvIf Range (,.*?){5,} bad-range=1
      RequestHeader unset Range env=bad-range

      # optional logging.

      CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Now when I add this to my httpd.conf:

<IfModule mod_setenvif.c>
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

</IfModule>

I get this error when restarting Apache:

"Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration"

The SetEvnIf module seems to be loaded.

What is wrong with that parameter?

Version is Apache/2.2.14 .

Link to the advisory is: http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser

also, would Tomcat be vulnerable to this?

tia!

Security – Recent Apache DOS advisory – problem applying the SetEnvIf/ RequestHeader workaround

Best Answer

Related Topic

Best Answer

Related Solutions

Centos – apache is not responding from the outside (firewall/iptables problem)

On CentOS 7 or above

The problem with this apache config

Related Topic