There are a number of ways to block attacks using the recent request range byte attack, best of all is upgrading or patching Apache to fix the issue.
Some versions are easier than others to confgure if you can not patch or upgrade.
In particular Apache 2.0.49 does not have some of the features required such as the option to use RequestHeader with an environment variable.
Below is the code I have used to block requests with more 10 or more byte ranges or using the HEAD method to request byte ranges (as that seems a little pointless).
It also logs all such requests to a specific log file.
SetEnvIf Range (^bytes) bad-range=1
SetEnvIf Request-Range (^bytes) bad-range=1
SetEnvIf Request_Method "GET" !bad-range
SetEnvIf Range (,.*?){9,} bad-range=1
SetEnvIf Request-Range (,.*?){9,} bad-range=1
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
#Not available in Apache 2.0.49
#RequestHeader unset Range env=bad-range
#RequestHeader set Range "badrange" env=bad-range
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
I've simply put this in httpd.conf using an include file before my NameVirtualHost options and then in each virtual host I've added
RewriteEngine On
RewriteOptions Inherit
Hope its of some use!
Tuesday, 6 September 2011
using recaptcha with sun one (chilisoft) asp
I've visited using recaptcha (captcha) with sun one asp a number of times and never got it to work but finally I worked it out and here is how.
You can use the standard classic asp code on googles web site.
http://code.google.com/apis/recaptcha/docs/asp.html
All you then need to change is one line of code
Replace
Set objXmlHttp = Server.CreateObject("MSXML.XMLHTTPRequest")
with
Set objXmlHttp = NewJavaObject("com.sun.msxml.XMLHttpRequest")
You then need to update the bean policy file and add two new lines.
/opt/casp/asp-server-3000/bean.policy
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "*", "connect,resolve";
You then need to configure sun one asp to enable java beans and enable the java security manager via the management interface. It will prompt you to restart the asp server which needs to be done to pick up the changes.
Once thats all done your captcha code should work on sun one asp 4.0.3.
You can use the standard classic asp code on googles web site.
http://code.google.com/apis/recaptcha/docs/asp.html
All you then need to change is one line of code
Replace
Set objXmlHttp = Server.CreateObject("MSXML.XMLHTTPRequest")
with
Set objXmlHttp = NewJavaObject("com.sun.msxml.XMLHttpRequest")
You then need to update the bean policy file and add two new lines.
/opt/casp/asp-server-3000/bean.policy
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "*", "connect,resolve";
You then need to configure sun one asp to enable java beans and enable the java security manager via the management interface. It will prompt you to restart the asp server which needs to be done to pick up the changes.
Once thats all done your captcha code should work on sun one asp 4.0.3.
Subscribe to:
Posts (Atom)