full disclosure reports
sky at crucially.net
sky at crucially.net
Wed Mar 6 17:31:18 CET 2013
I am not just speaking for us. (we didn't report some of the issues because of the seemingly lack of interest). I also don't think it is just about us, I know a lot of people front web (word press, drupal, etc) farms with varnish. Where someone could change a header but not generate 1TB objects.
And previously, you have not considered these a problem at all.
If you are fronting a website that you completely own, and you have 300 developers working on it. It isn't entirely unlikely one of them will forget a , in a vary. And boom your varnish is gone. Or god forbid some funny person sets a response code over 999. (oh is that new disclosure?)
I've argued many times:
Asserting on user input from the network should not be done, it is bad form and sloppy.
EOM
------Original Message------
From: Poul-Henning Kamp
To: Artur Bergman
Cc: Nils Goroll
Cc: varnish-dev at varnish-cache.org
Subject: Re: full disclosure reports
Sent: Mar 6, 2013 08:23
In message <E4AC4D6A-694C-4025-A914-9FA85DF83B43 at crucially.net>, Artur Bergman writes:
>> They contacted me up front, I told them we don't consider it a security
>> problem, because Varnish has to trust the backend being sensible.
>>
>> We'd be just as hosed if the backend started sending only 1TB objects.
>
>Thank you for that very pragmatic and mature view of the world.
I didn't say I don't consider those issues problems, I do, I just don't
consider them security problems.
I do realize that Fastly's usage of Varnish is different from pretty much
everybody else in the world, but that is a risk Fastly has chosen to take
and the consequences are theirs to bear.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Sent via BlackBerry by AT&T
More information about the varnish-dev
mailing list