Check: WA000-WWA066 W22
APACHE 2.2 Server for Windows STIG:
WA000-WWA066 W22
(in versions v1 r13 through v1 r11)
Title
The HTTP request line must be limited. (Cat II impact)
Discussion
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite system memory. Subsequently an attacker may be able to elevate privileges and take control of the server. This Apache directive limits the size of the various HTTP header sizes, thereby limiting the chances for a buffer overflow. The LimitRequestLine directive allows the server administrator to reduce or increase the limit on the allowed size of a client's HTTP request-line. Since the request-line consists of the HTTP method, URI, and protocol version, the LimitRequestLine directive places a restriction on the length of a request-URI allowed for a request on the server. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the query part of a GET request. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.
Check Content
Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: LimitRequestLine Every enabled LimitRequestLine value needs to be 8190. If any directive is set improperly, this is a Finding. If no LimitRequestLine directives exist, this is a Finding. Although the default value is 8190, this directive must be explicitly set. NOTE: This value may vary in size based on the application that is being supported by the web server. This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased or decreased value. If the ISSM/ISSO has approved this change in writing, this should be marked as Not a Finding.
Fix Text
Set LimitRequestLine to 8190 or approved value. If no LimitRequestLine directives exist, explicitly add the directive and set to 8190.
Additional Identifiers
Rule ID: SV-33011r3_rule
Vulnerability ID: V-13739
Group Title: WA000-WWA066
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |