using nginx to mitigate the latest joomla-vuln - discussion

Wed Dec 16 16:52:16 UTC 2015

this one: https://www.nginx.com/blog/new-joomla-exploit-cve-2015-8562/

i'd suggest to change the ua-detection from "JDatabaseDriverMysql"
to a regex detecting the PHP-Object-Injection to cover additional
attack-vectors (like my gurus @ emergingthreats said:
"mitigation against the vuln, not the exploit you should create" :D

i also suggest to delete the "O:" - detection which will lead to
a lot of false positives, as well as using "{" alone.

http {
    map $http_user_agent $blocked_ua {

        "~O:\+?\d+:.*:\+?\d+:{(s|S):\+?\d+:.*;.*}" 1;
        default 0;
    }

    ...

    server {
        ...
        if ($blocked_ua) { return 403; }
        ...
    }

    ...

}

cheers,

mex

p.s. repost, because of forum-snafu

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263478,263483#msg-263483