[Bug 839569] Re: Apache2 is still Range header DoS vulnerable if gzip compression is enabled
Upen
upendra.gandhi at gmail.com
Wed Sep 7 15:13:48 UTC 2011
Hi,
I am the other user who reported that even after fully patching 10.04
LTS, I see that my virtual Lucid is still vulnerable. I am not sure
where exactly is the problem, system resources or apache bug or my
configuration.
OS: Ubuntu 10.04.3 LTS
Memory = 512 MB
1 CPU : model name : Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz
nc www.server.name 80
HEAD / HTTP/1.1
Host: www.server.name
Range:bytes=1-15,10-35,8-9,14-22,0-5,23-
Accept-Encoding: gzip
Connection: close
HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 15:05:30 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Mon, 02 Aug 2010 21:42:40 GMT
ETag: "e51e-b1-48cde146fd1b1"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 146
Connection: close
Content-Type: text/html
apache2ctl -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
headers_module (shared)
mime_module (shared)
security2_module (shared)
negotiation_module (shared)
php5_module (shared)
reqtimeout_module (shared)
setenvif_module (shared)
status_module (shared)
unique_id_module (shared)
Syntax OK
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/839569
Title:
Apache2 is still Range header DoS vulnerable if gzip compression is
enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/839569/+subscriptions
More information about the Ubuntu-server-bugs
mailing list