[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

To: Nikolay Kichukov <hijacker@xxxxxxxxx>
Subject: Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
From: Andrew Farmer <andfarm@xxxxxxxxx>
Date: Mon, 29 Aug 2011 16:39:59 -0700

On 2011-08-26, at 08:12, Nikolay Kichukov wrote:
> Hi,
> This one works like charm on my debian stable
> 
> LimitRequestFieldSize 200
> 
> in the apache2.conf as global directive for all vhosts.

Be cautious about applying this mitigation -- it *will* break applications 
which use large cookies. In particular, the cookies generated by Google 
Analytics are often over 200 bytes long alone.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
  - From: Dirk-Willem van Gulik
- Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
  - From: Carlos Alberto Lopez Perez
- Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
  - From: bodik
- Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
  - From: bodik
- Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
  - From: Nikolay Kichukov

Prev by Date: [Full-disclosure] Vulnerabilities in ClickCMS
Next by Date: Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
Previous by thread: Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
Next by thread: Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
Index(es):
- Date
- Thread