On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener <cove...@gmail.com> wrote:
>> * Is this the right list (and order) of the mitigations - or should
>> ReWrite be first ?
> FWIW I don't like rewrite first because it's so unruly with being
> defined once per vhost + main server + RewriteEngine on.
>
> I like RequestHeader simplicity, and could be combined with SetEnvIf
> to only zap long malicious looking headers.
>
e.g.
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
CustomLog logs/range.log "%r %{Range}i %{bad-range}e"
printf "GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5,5-6,7-9,10-12,11-99,44\r\n\r\n" |
nc localhost 80
GET / HTTP/1.1 - 1
printf "GET / HTTP/1.1\r\nHost:
localhost\r\nRange:bytes=0-1,2-3,4-5\r\n\r\n" | nc localhost 80
GET / HTTP/1.1 bytes=0-1,2-3,4-5 -
--
Eric Covener
cove...@gmail.com
