Choose one.

Choose a solution from the following for whatever works best for you.

There is currently no full fix for this vulnerability, the following solutions are temporary fixes. Please revisit this site in the future or follow the apache mailing list for discussion.

Upgrade Solution - Best Solution This exploit was fixed in Apache 2.2.20, you can review the changelog, you can download the latest apache version. More information is available at CVE-2011-3192. This solution is the best fix because Apache is able to determine the file size and determine if all of the byte ranges exceed the file than it simply returns the file and ignores the range requests.

Rewrite Solution If you have mod_rewrite running this is one of the easiest solutions. Simply add this to your .htaccess file. RewriteEngine on RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) RewriteRule .* - [F]

SetEnvIf Solution If you have SetEnvIf enabled this is also an easy solution. Add the following to your .htaccess file. SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range # optional logging, uncomment and set path to log matches # CustomLog /var/log/range-CVE-2011-3192.log common env=bad-range