Home/ Questions/Q 8303271
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T17:29:14+00:00

I need to use a facebook application but my web page return response 206

  • 0

I need to use a facebook application but my web page return response 206 instead 200,
so that the facebook application return http code 500.

I tested with http://developers.facebook.com/tools/debug/og/object?q=http://adserver.leadhouse.net/test/test/index.php and return 206 instead joomla.it return 200
when they are same curl -I response datae

I tested with this perl script: http://pastebin.com/NCDv9eTh
and my page is vulnerable instead joomla.it is good.

I think that my answer is very close between
Facebook debugger : Response 206
and Apache Webserver security and optimization tips

but I don’t understand how change my apache configuration.
the solution is into this page:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35.2
with similar code:

    SetEnvIf Range (,.*?){5,} bad-range=1
    RequestHeader unset Range env=bad-range

or
httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

how can I make it less vulnerable to my web pages?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, everything is started with debugging facebook: dialog send return 500 http code with my page return 206 http code.
    And my curiosity is focused on DoS vulnerability of http code 206 when I tested perl script http://pastebin.com/NCDv9eTh

    I report some significant phrase about apache documentation:

    This vulnerability concerns a ‘Denial of Service’ attack. This means
    that a remote attacker, under the right circumstances, is able to slow
    your service or server down to a crawl or exhausting memory available
    to serve requests, leaving it unable to serve legitimate clients in a
    timely manner.

    There are no indications that this leads to a remote exploit; where a
    third party can compromise your security and gain foothold of the
    server itself. The result of this vulnerability is purely one of
    denying service by grinding your server down to a halt and refusing
    additional connections to the server.

    so that LimitRequestFieldSize workaround was insufficient,
    you could modify Range parameters consulting Mitigation paragraph
    about apache wiki documentation: http://wiki.apache.org/httpd/CVE-2011-3192
    You obtain switch between return http code: from 206 to 200.
    You best apache configuration, but you’re still exposed to DoS vulnerability.

    I added mod_headers with this line:

    RequestHeader unset Range

    and now my page return http code 200.
    And to limit exhausting memory available to serve requests,
    I limit ip connections adding mod_limitipconn with this code:

    MaxConnPerIP 10
    • 0