-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, This one works like charm on my debian stable
LimitRequestFieldSize 200 in the apache2.conf as global directive for all vhosts. Cheers, - -Nik On 08/26/2011 05:56 PM, bodik wrote: > Dne 08/26/11 13:26, bodik napsal(a): >> >>>> Option 2: (Pre 2.2 and 1.3) >>>> >>>> # Reject request when more than 5 ranges in the Range: header. # >>>> CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range} >>>> !(bytes=[^,]+(,[^,]+){0,4}$|^$) # RewriteCond %{HTTP:request-range} >>>> !(bytes=[^,]+(?:,[^,]+){0,4}$|^$) RewriteRule .* - [F] >>> ^^ Better use this: >>> >>> RewriteEngine on RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) >>> [NC,OR] RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) >>> [NC] RewriteRule .* - [F] >>> >> >> in any case, i found very wierd behavior on some of our webservers. as we >> applied the first version of workaround, something about 15% of our webpages >> seems to be broken, but the rest of virtual hosts were working fine. > > because of messing with Options FollowSymLinks or SymLinksIfOwnerMatch and > mod_rewrite i have to implement other workaround .. > > b > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOV7fKAAoJEDFLYVOGGjgXniQH/jQoeD+vKAT1D+PdCijthhNA Svjhvyl801n/b+ggJvLq6HclMZKacThcuVqtyb+ehf1b+3D9XMeMtieze0sC2Qnt GAuBKSUI+b7QRSJETjncBqKeVu7RpeeKeKI3aotqXtNTknP+S0McKpPKUYEM591K iaam/DkmzTob6Ey2J0anQs+58yCqLqEusoojqIy4T8Ql48EDoE/TnSZphA3BGGpC rZ/r0Hv49SJkTWIwY03+epYDTuIq8+LK9flEkSsKC4OqFkZagx7MEjyDv1Xztj0K 8hsC+iC9k+RCKdAnQVPiJ/CaKgUbNeghuX/bIxCm0edjLFUhootlf7ie8dvnxbs= =LO33 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/