[Info-vax] 'Kill tool' released for unpatched Apache server vulnerability
Martin Vorlaender
mv at pdv-systeme.de
Fri Aug 26 12:39:45 EDT 2011
Martin Vorlaender <mv at pdv-systeme.de> wrote:
> The workaround I use (but haven't tested yet) is
>
> RewriteEngine On
> RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
> RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
> RewriteRule .* - [F]
>
> and
>
> RewriteOptions inherit
>
> for any virtual hosts (in case the rewrite rule is placed in
> the global part of the config).
>
> cf. http://seclists.org/fulldisclosure/2011/Aug/241
I have now (SWS 2.1-1, VMS 8.3-1H1 on an rx2600) tested it under a
fairly simple configuration (mostly serving documentation, no vhosts),
and can confirm that SWS is vulnerable to the exploit (doesn't
crash, but VMS crawls along) and that the workaround mitigates it.
cu,
Martin
--
One OS to rule them all | Martin Vorlaender | OpenVMS rules!
One OS to find them | work: mv at pdv-systeme.de
One OS to bring them all | http://vms.pdv-systeme.de/users/martinv/
And in the Darkness bind them.| home: martin.vorlaender at t-online.de
More information about the Info-vax
mailing list