Forum Discussion
Craig_C_
Nimbostratus
NimbostratusHas anyone written an iRule to filter CVE-2014-6271?
CVE-2014-6271 was made public today, potentially wreaking havoc on apache/bash. Has anyone written an iRule to filter this vulnerability from HTTP GET requests?
Moonlit: How are you sending in the string, (curl, browser, script).
This works for me:
curl http://192.168.1.59/?text='DAGSUGER() \{ :;\}; ls -al': Detected CVE-2014-6271 attack from 192.168.1.133
: GET /?text=DAGSUGER() { :;}; ls -al HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1e zlib/1.2.3 libidn/0.6.5 Host: 192.168.1.59 Accept: */*
This does NOT work, look at the resulting Request, { is not sent:
curl http://192.168.1.59/?text='DAGSUGER() { :;}; ls -al'Resulting request to BigIP:
: GET /?text=DAGSUGER() :;; ls -al HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1e zlib/1.2.3 libidn/0.6.5 Host: 192.168.1.59 Accept: */*
HTH
