Forgot to add version is Apache/2.2.14 . Link to the advisory is: http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser
t. On Wed, Aug 24, 2011 at 9:02 PM, Tom Sztur <[email protected]> wrote: > so one of the mitigations for this advisory was: > > > 1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then > either ignore the Range: header or reject the request. > > Option 1: (Apache 2.0 and 2.2) > > # Drop the Range header when more than 5 ranges. > # CVE-2011-3192 > SetEnvIf Range (,.*?){5,} bad-range=1 > RequestHeader unset Range env=bad-range > > # optional logging. > > CustomLog logs/range-CVE-2011-3192.log common env=bad-range > > Now when I add this to my httpd.conf: > <IfModule mod_setenvif.c> > # Drop the Range header when more than 5 ranges. > # CVE-2011-3192 > > SetEnvIf Range (,.*?){5,} bad-range=1 > RequestHeader unset Range env=bad-range > > </IfModule> > > > I get this error when restarting Apache: > "Invalid command 'RequestHeader', perhaps misspelled or defined by a module > not included in the server configuration" > > The SetEvnIf module seems to be loaded. > > What is wrong with that parameter? > > TIA! > >
