Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Catch UTF symbols #15

Open
igor-mendix opened this issue Dec 14, 2021 · 3 comments
Open

Catch UTF symbols #15

igor-mendix opened this issue Dec 14, 2021 · 3 comments

Comments

@igor-mendix
Copy link

Some UTF symbols can be converted by Java to normal ASCII (source).

Example:

${jnd${upper:ı}:ldap:URL}

Maybe we can block all requests that contain UTF symbols altogether as I can't imagine a situation when they are used in URIs or headers. But it seems too blunt, maybe there's a better way.
@Napsty
Copy link
Contributor

Napsty commented Dec 14, 2021

Aren't they url-encoded by Nginx when they arrive at Nginx?

@igor-mendix
Copy link
Author

In the nginx access logs they do become escaped:

"${${jnd${upper:\xC4\xB1}:ldap:localhost/log4shell_test}"

But does it mean they're neutralized?

@krogon
Copy link

krogon commented Dec 22, 2021
edited
Loading

There are more known attack vectors, like date or environment variables. As of now there is 13 different bypass techniques, all described at https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@krogon @Napsty @igor-mendix