Tuesday, 6 September 2011

blocking request range attacks on Apache

There are a number of ways to block attacks using the recent request range byte attack, best of all is upgrading or patching Apache to fix the issue.

Some versions are easier than others to confgure if you can not patch or upgrade.

In particular Apache 2.0.49 does not have some of the features required such as the option to use RequestHeader with an environment variable.

Below is the code I have used to block requests with more 10 or more byte ranges or using the HEAD method to request byte ranges (as that seems a little pointless).

It also logs all such requests to a specific log file.

SetEnvIf Range (^bytes) bad-range=1
SetEnvIf Request-Range (^bytes) bad-range=1
SetEnvIf Request_Method "GET" !bad-range
SetEnvIf Range (,.*?){9,} bad-range=1
SetEnvIf Request-Range (,.*?){9,} bad-range=1
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

#Not available in Apache 2.0.49
#RequestHeader unset Range env=bad-range
#RequestHeader set Range "badrange" env=bad-range

RewriteEngine on

RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]

I've simply put this in httpd.conf using an include file before my NameVirtualHost options and then in each virtual host I've added

RewriteEngine On
RewriteOptions Inherit

Hope its of some use!

using recaptcha with sun one (chilisoft) asp

I've visited using recaptcha (captcha) with sun one asp a number of times and never got it to work but finally I worked it out and here is how.

You can use the standard classic asp code on googles web site.

http://code.google.com/apis/recaptcha/docs/asp.html

All you then need to change is one line of code

Replace

Set objXmlHttp = Server.CreateObject("MSXML.XMLHTTPRequest")

with

Set objXmlHttp = NewJavaObject("com.sun.msxml.XMLHttpRequest")

You then need to update the bean policy file and add two new lines.

/opt/casp/asp-server-3000/bean.policy

permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "*", "connect,resolve";


You then need to configure sun one asp to enable java beans and enable the java security manager via the management interface. It will prompt you to restart the asp server which needs to be done to pick up the changes.

Once thats all done your captcha code should work on sun one asp 4.0.3.