[users@httpd] Recent Apache DOS advisory - problem applying the SetEnvIf/ RequestHeader workaround.

Tom Sztur Wed, 24 Aug 2011 18:02:42 -0700

so one of the mitigations for this advisory was:


1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0 and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Now when I add this to my httpd.conf:
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

</IfModule>


I get this error when restarting Apache:
"Invalid command 'RequestHeader', perhaps misspelled or defined by a
module not included in the server configuration"

The SetEvnIf module seems to be loaded.

What is wrong with that parameter?

TIA!

[users@httpd] Recent Apache DOS advisory - problem applying the SetEnvIf/ RequestHeader workaround.

Reply via email to