[prev in list] [next in list] [prev in thread] [next in thread]
List: varnish-misc
Subject: varnish 2.15 - possible security exploit?
From: scaunter () topscms ! com (Caunter, Stefan)
Date: 2011-02-22 18:03:35
Message-ID: 7F0AA702B8A85A4A967C4C8EBAD6902CF7C23B () TMG-EVS02 ! torstar ! net
[Download RAW message or body]
>In message
<AANLkTimzDZXpY=OXb-g3uVj=FurbWpjHweJzLChqrBLg at mail.gmail.com>, Mike
Franon writes:
>>I was curious does anyone know of any serious security exploits that
>>can use varnish as an open proxy?
>Only if they can reload the Varnish VCL somehow. Varnish has the
>backends hardcoded in VCL.
>>The reason why I am thinking that some sort of exploit might be going
>>on is, looking at the varnish logs I was seeing some url's for domains
>>we do not even own.
>And what does the log says happen to them ?
>You can probably do something like:
> if (req.http.host !~ "<regexp matching your domains") {
> error(755); /* No need to be civilized here */
> }
>To prevent them from reaching your backend.
Sure, but maybe we have a non-host specific config for a farm, where if
DNS sends you to varnish, it doesn't check the host header, it just
selects a backend. A regexp matching many domains is avoided in this
case.
Lets you put varnish in front of many sites without a lot of fuss.
If there's an invalid host, we can simply cache the "don't got" page.
Potential for DoS attack, but hardly specific to varnish.
SC
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic