Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 502 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF information leakage

jamesharper

I noticed this just recently when a client's servers were down for maintenance. If you set up a WAF rule with a target of an FQDN host, and if this host can't be resolved, the error message contains the name of the internal server, eg:

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request

Reason: DNS lookup failure for: some.hostname.that.doesnt.resolve

If the target is an IP host then you get an error that discloses no internal information, which is what I would expect in both cases.

I have verified this on 18.5.1.

Can I get a second opinion on if this is worth logging a support request on? I don't want to bother if it isn't going to get fixed.

James



This thread was automatically locked due to age.
Parents
  • 0
    jamesharper said:
    Can I get a second opinion on if this is worth logging a support request on? I don't want to bother if it isn't going to get fixed.

    The chances of this getting fixed is almost null.

    But I still recommend you to create a support request - anyways they will tell you to use ideas.sophos.com and ignore you later on.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Security issue vs feature requests are quite different. But even security issues needs to be handled with certain prioritization. And looking at this kind of issue, it could be quite unlikely to cause an issue. 

    You would need to either wait until the firewall restart (Not HA) and/or send a DOS attack to get the system/module restart. Then you have to request the WAF at the same time to get this kind of information. In the same time, its just a internal hostname - Which means, its not as sensitive from my perspective. 

    But it is still worth it to log this as an issue. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Prism

    Security issue vs feature requests are quite different. But even security issues needs to be handled with certain prioritization. And looking at this kind of issue, it could be quite unlikely to cause an issue. 

    You would need to either wait until the firewall restart (Not HA) and/or send a DOS attack to get the system/module restart. Then you have to request the WAF at the same time to get this kind of information. In the same time, its just a internal hostname - Which means, its not as sensitive from my perspective. 

    But it is still worth it to log this as an issue. 

    __________________________________________________________________________________________________________________

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?