Proposed simple shell-shock protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've revisited mod_taint this morning, and made some updates:
a bugfix, a new option to apply an untainting rule to all headers.
But topically, a canned configuration option to protect
against shell-shock patterns:

  LoadModule modules/mod_taint.so
  Untaint shellshock

Untaint works in a directory context, so can be
selectively enabled for potentially-vulnerable apps
such as those involving CGI, SSI, ExtFilter,
or (other) scripts.

This goes through all Request headers, any PATH_INFO
and QUERY_STRING, and (just to be paranoid) any
other subprocess environment variables.  It untaints
them against a regexp that checks for "()" at the
beginning of a variable, and returns an HTTP 400 error
(Bad Request) if found.

Feedback welcome, indeed solicited.  I believe this
is a simple but sensible approach to protecting
potentially-vulnerable systems, but I'm open to
contrary views.  The exact details, including the
shellshock regexp itself, could probably use some
refinement.  And of course, bug reports!

Builds and runs with httpd 2.2 and 2.4.  Very limited
testing verifies that it catches a shellshock attack
in a request header.

http://people.apache.org/~niq/mod_taint.html

Note: cross-posting, with followup-to set to dev@.
If you're following up to report a critical bug,
adding users@ will ensure widest exposure!

-- 
Nick Kew

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux