标签:Range
Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

          Apache HTTPD Security ADVISORY
          ==============================
                    UPDATE 2

Title:       Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:         CVE-2011-3192
Last Change: 20110826 1030Z
Date:        20110824 1600Z
Product:     Apache HTTPD Web Server
Versions:    Apache 1.3 all versions, Apache 2 all versions

Changes since last update
=========================
In addition to the 'Range' header - the 'Range-Request' header is equally
affected. Furthermore various vendor updates, improved regexes (speed and
accommodating a different and new attack pattern).

Description:
============

A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:

     http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tool has
been observed.

The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.

The default Apache HTTPD installation is vulnerable.

There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.

本日志由 flyinweb 于 2011-09-06 14:06:40 发表到 WEB服务器 中,目前已经被浏览 883 次,评论 0 次;

作者添加了以下标签: RangeRequest-Range

首页只显示了部分日志内容,要查看日志的全部内容请阅读全文