On 30.09.2014 10:51, Baptiste wrote: > On Mon, Sep 29, 2014 at 2:36 PM, Thomas Heil > <[email protected]> wrote: >> Hi, >> >> To mitigate the shellshock attack we added two lines in our frontends. >> >> -- >> frontend fe_80 >> -- >> reqideny ^[^:]+:\s*\(\s*\) >> reqideny ^[^:]+:\s+.*?(<<[^<]+){5,} >> -- >> >> and checked this via >> >> -- >> curl --referer "x() { :; }; ping 127.0.0.1" http://my-haproxy-url/ >> curl --referer "true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF >> <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF" http://my-haproxy-url/ >> -- >> >> Any hints or further sugestions? >> >> cheers >> thomas >> >> >> > > Hi Thomas, > > Thanks for the tips. > I blogged it with some differences: > http://blog.haproxy.com/2014/09/30/mitigating-the-shellshock-vulnerability-with-haproxy/
Maybe you should add a warning that this may not catch all possible exploits of that bash bug. The parser seems to be quite bad and even after 2 rounds of security releases from vendors the exploit in bash still isn't fixed all the way. The above fixes *some* of the attack vectors but there may be others that bypass this. Regards, Dennis
