Is HaProxy vulnerable to CVE 2007-6750 ?
-
Does CVE-2007-6750 affect HaProxy, I run nmap with nmap -Pn --script vuln 66.1xx.xxx.13 ?
PORT STATE SERVICE 53/tcp open domain 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-passwd: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
-
@manjotsc
haproxy isn't an apache http server, i don't see how this could be related to it
haproxy just pass the traffic to the real server, if the real server is vulnerable it's not haproxy fault -
@kiokoman Thanks, for cleariying