nginx-mitigate-log4shell icon indicating copy to clipboard operation
nginx-mitigate-log4shell copied to clipboard

Published 20 hours ago verified publisher icon infiniroot

Catch UTF symbols

Open igor-mendix opened this issue 3 years ago • 3 comments

Some UTF symbols can be converted by Java to normal ASCII (source).

Example:

${jnd${upper:ı}:ldap:URL}

Maybe we can block all requests that contain UTF symbols altogether as I can't imagine a situation when they are used in URIs or headers. But it seems too blunt, maybe there's a better way.

igor-mendix avatar Dec 14 '21 13:12 igor-mendix

Aren't they url-encoded by Nginx when they arrive at Nginx?

Napsty avatar Dec 14 '21 14:12 Napsty

In the nginx access logs they do become escaped:

"${${jnd${upper:\xC4\xB1}:ldap:localhost/log4shell_test}"

But does it mean they're neutralized?

igor-mendix avatar Dec 14 '21 17:12 igor-mendix

There are more known attack vectors, like date or environment variables. As of now there is 13 different bypass techniques, all described at https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

krogon avatar Dec 22 '21 21:12 krogon