varnish 2.15 - possible security exploit?

Poul-Henning Kamp phk at phk.freebsd.dk
Tue Feb 22 15:46:45 CET 2011


In message <AANLkTimzDZXpY=OXb-g3uVj=FurbWpjHweJzLChqrBLg at mail.gmail.com>, Mike
 Franon writes:
>HI,
>
>I was curious does anyone know of any serious security exploits that
>can use varnish as an open proxy?

Only if they can reload the Varnish VCL somehow.  Varnish has the
backends hardcoded in VCL.

>The reason why I am thinking that some sort of exploit might be going
>on is, looking at the varnish logs I was seeing some url's for domains
>we do not even own.

And what does the log says happen to them ?

You can probably do something like:

	if (req.http.host !~ "<regexp matching your domains") {
		error(755);	/* No need to be civilized here */
	}

To prevent them from reaching your backend.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the varnish-misc mailing list