Shellshock protection using nginx ?

mex nginx-forum at
Fri Sep 26 09:16:02 UTC 2014

hi pekka, 

since the attack, esp. against CGI, is possible through (custom)
headers/cookies etc
you'd need some waf-functionalities (afaik)

naxsi, an nginx-based waf, has a signature for this since wednesday

MainRule "str:() {" "msg:Possible Remote code execution through Bash
CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393  ;

Posted at Nginx Forum:,253553,253555#msg-253555

More information about the nginx mailing list