[Info-vax] 'Kill tool' released for unpatched Apache server vulnerability
Rich Jordan
jordan at ccs4vms.com
Fri Aug 26 13:26:36 EDT 2011
On Aug 26, 11:39 am, "Martin Vorlaender" <m... at pdv-systeme.de> wrote:
> Martin Vorlaender <m... at pdv-systeme.de> wrote:
> > The workaround I use (but haven't tested yet) is
>
> > RewriteEngine On
> > RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
> > RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
> > RewriteRule .* - [F]
>
> > and
>
> > RewriteOptions inherit
>
> > for any virtual hosts (in case the rewrite rule is placed in
> > the global part of the config).
>
> > cf.http://seclists.org/fulldisclosure/2011/Aug/241
>
> I have now (SWS 2.1-1, VMS 8.3-1H1 on an rx2600) tested it under a
> fairly simple configuration (mostly serving documentation, no vhosts),
> and can confirm that SWS is vulnerable to the exploit (doesn't
> crash, but VMS crawls along) and that the workaround mitigates it.
>
> cu,
> Martin
> --
> One OS to rule them all | Martin Vorlaender | OpenVMS rules!
> One OS to find them | work: m... at pdv-systeme.de
> One OS to bring them all | http://vms.pdv-systeme.de/users/martinv/
> And in the Darkness bind them.| home: martin.vorlaen... at t-online.de
Thanks for the update. Looks like we'll have to go that route since
there doesn't seem to be any way to make the RequestHeader unset work
conditionally. Its all or nothing at least on our version of
Apache...
I wonder how long it will take HP to release an update once the Apache
patch is available...
More information about the Info-vax
mailing list