I created a little mini site that lets you check if your server is vulnerable, along with some information about the exploit:
http://apache-range-exploit.com/
"When using a third party attack tool to verify vulnerability - know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
that module."
Not sure if that's how you are checking for vulnerability, however it was reporting that my site was "not vulnerable" when it was very much so.
I recently fixed an issue where the server wouldn't follow redirects which was causing some false negatives. If your site still shows as a no would you mind letting me know what the domain is so I can fix any other issue?
The way I check for the vulnerability is based on the original perl script in the OP link. I submit 20 byte range requests and check for a Partial string in the response, if I see that I assume that the server is vulnerable. It's more of an educated guess, but I've been using it myself to fix misc servers I have running.
I've used it for a recent one-off project and it's great and meant for that kind of things: good looking pages even if they were thrown together quickly.
"When using a third party attack tool to verify vulnerability - know that most of the versions in the wild currently check for the presence of mod_deflate; and will (mis)report that your server is not vulnerable if this module is not present. This vulnerability is not dependent on presence or absence of that module."
Not sure if that's how you are checking for vulnerability, however it was reporting that my site was "not vulnerable" when it was very much so.