full disclosure reports

sky at crucially.net sky at crucially.net
Wed Mar 6 17:31:18 CET 2013


I am not just speaking for us. (we didn't report some of the issues because of the seemingly lack of interest). I also don't think it is just about us, I know a lot of people front web (word press, drupal, etc) farms with varnish. Where someone could change a header but not generate 1TB objects.

And previously, you have not considered these a problem at all.

If you are fronting a website that you completely own, and you have 300 developers working on it. It isn't entirely unlikely one of them will forget a , in a vary. And boom your varnish is gone. Or god forbid some funny person sets a response code over 999. (oh is that new disclosure?)

I've argued many times: 

Asserting on user input from the network should not be done, it is bad form and sloppy.


EOM


------Original Message------
From: Poul-Henning Kamp
To: Artur Bergman
Cc: Nils Goroll
Cc: varnish-dev at varnish-cache.org
Subject: Re: full disclosure reports
Sent: Mar 6, 2013 08:23

In message <E4AC4D6A-694C-4025-A914-9FA85DF83B43 at crucially.net>, Artur Bergman writes:

>> They contacted me up front, I told them we don't consider it a security
>> problem, because Varnish has to trust the backend being sensible.
>>
>> We'd be just as hosed if the backend started sending only 1TB objects.
>
>Thank you for that very pragmatic and mature view of the world.

I didn't say I don't consider those issues problems, I do, I just don't
consider them security problems.

I do realize that Fastly's usage of Varnish is different from pretty much
everybody else in the world, but that is a risk Fastly has chosen to take
and the consequences are theirs to bear.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Sent via BlackBerry by AT&T


More information about the varnish-dev mailing list