Is HaProxy vulnerable to CVE 2007-6750 ?

  • Does CVE-2007-6750 affect HaProxy, I run nmap with nmap -Pn --script vuln ?

    53/tcp   open  domain
    80/tcp   open  http
    |_http-csrf: Couldn't find any CSRF vulnerabilities.
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    |_http-passwd: ERROR: Script execution failed (use -d to debug)
    | http-slowloris-check: 
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |     Disclosure date: 2009-09-17
    |     References:
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  • LAYER 8

    haproxy isn't an apache http server, i don't see how this could be related to it
    haproxy just pass the traffic to the real server, if the real server is vulnerable it's not haproxy fault

  • @kiokoman Thanks, for cleariying