UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The httpd.conf LimitRequestline directive is set to unlimited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13739 WA000-WWA066 SV-14349r1_rule Medium
Description
Buffer overflow attacks are carried out by a malicious attacker sending amounts of data that the web server cannot store in a given size buffer. The eventual overflow of this buffer can overwrite system memory. Subsequently an attacker may be able to elevate privileges and take control of the server. The Apache directives listed below limit the size of the various HTTP header sizes thereby limiting the chances for a buffer overflow. From Apache.org: This directive sets the number of bytes that will be allowed on the HTTP request-line. The LimitRequestLine directive allows the server administrator to reduce or increase the limit on the allowed size of a client's HTTP request-line. Since the request-line consists of the HTTP method, URI, and protocol version, the LimitRequestLine directive places a restriction on the length of a request-URI allowed for a request on the server. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the query part of a GET request. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.
STIG Date
IIS 7.0 Server STIG 2019-03-22

Details

Check Text ( C-10992r1_chk )
To view the LimitRequestLine value enter the following command: grep "LimitRequestLine" /usr/local/apache2/conf/httpd.conf

If the value of LimitRequestLine is not set to 8190, then this is a finding.

Note: The default value is 8190.
Fix Text (F-13187r1_fix)
Edit the httpd.conf file and set the LimitRequestLine to 8190 or other approved value.