[Bug 839569] Re: Apache2 is still Range header DoS vulnerable if gzip compression is enabled
Paweł Tęcza
839569 at bugs.launchpad.net
Wed Sep 7 09:02:59 UTC 2011
Hi Steve,
Yes, I can confirm that my Apache returns "200 OK" for that request:
root at server:~# nc localhost 80
HEAD / HTTP/1.1
Host: localhost
Range:bytes=1-15,10-35,8-9,14-22,0-5,23-
Accept-Encoding: gzip
Connection: close
HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 08:51:43 GMT
Server: Apache
Set-Cookie: FSESSIONID=m; path=/; domain=my.server.pl; expires=Wed, 07-Sep-2011 09:06:43 GMT
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Set-Cookie: e9231db0fb41e22cabb573ecb7ba8b90=br5glf7jvticj4gs4kiglb5d13; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Tue, 07-Sep-2010 08:51:43 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Tue, 07-Sep-2010 08:51:43 GMT; path=/
Set-Cookie: jfcookie[lang]=deleted; expires=Tue, 07-Sep-2010 08:51:43 GMT; path=/
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 08:51:45 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html; charset=utf-8
root at server:~#
but it still returns "206 Partial Content" for non overlapping byte
range:
root at server:~# nc localhost 80
HEAD / HTTP/1.1
Host: localhost
Range:bytes=0-100
Accept-Encoding: gzip
Connection: close
HTTP/1.1 206 Partial Content
Date: Wed, 07 Sep 2011 08:58:34 GMT
Server: Apache
Set-Cookie: FSESSIONID=m; path=/; domain=my.server.pl; expires=Wed, 07-Sep-2011 09:13:34 GMT
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Set-Cookie: e9231db0fb41e22cabb573ecb7ba8b90=3pv0n50sf008la91se85acne22; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Tue, 07-Sep-2010 08:58:34 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Tue, 07-Sep-2010 08:58:34 GMT; path=/
Set-Cookie: jfcookie[lang]=deleted; expires=Tue, 07-Sep-2010 08:58:34 GMT; path=/
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 08:58:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Range: bytes 0-19/20
Content-Length: 20
Connection: close
Content-Type: text/html; charset=utf-8
root at server:~#
And here you can see my enabled Apache's modules:
root at server:~# apache2ctl -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authnz_ldap_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
headers_module (shared)
ldap_module (shared)
mime_module (shared)
negotiation_module (shared)
pagespeed_module (shared)
php5_module (shared)
proxy_module (shared)
proxy_connect_module (shared)
proxy_html_module (shared)
proxy_http_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
ssl_module (shared)
status_module (shared)
substitute_module (shared)
Syntax OK
root at server:~#
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/839569
Title:
Apache2 is still Range header DoS vulnerable if gzip compression is
enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/839569/+subscriptions
More information about the Ubuntu-server-bugs
mailing list