Comment by FiloSottile
12 years ago
I've built a web tester for this bug, find it at
It actually exploit the bug, since it was quite trivial, and echo some memory.
It's written in Go, no more than 100 lines. I'll release code in some time.
12 years ago
I've built a web tester for this bug, find it at
It actually exploit the bug, since it was quite trivial, and echo some memory.
It's written in Go, no more than 100 lines. I'll release code in some time.
Interestingly, your tool claims our website (SSL-terminated at our ELB instance) is still vulnerable; while this other tool (http://possible.lv/tools/hb) claims we are unaffected.
Another, known unpatched, app is reported to be affected by both tools.
Is it possible that FiloSottile/Hearbleed may report false positives?
From what I've learned, it reports back if it gets something, when it should get nothing.
How vulnerable a specific site is depends on luck. Yahoo must have broken a whole bunch of mirrors because total amateurs can send mail.yahoo.com a certain blob of code and it has a good chance of returning a stranger's password.
My upgraded debian and ubuntu boxes are still reported as vulnerable.... Who's wrong, who's right?
Have you restarted the services linked against openssl?
lsof | grep ssl | grep DEL
It was indeed the restart step that was missing
Would love to see the code and test it against a rebuilt a patched nginx.
Filippo has hosted it with github.
https://github.com/FiloSottile/Heartbleed
Just run it against it?
Well, I was interested in actually testing it out in code. I got it working with the pyOpenSSL bindings (I had to expose struct ssl_method_st, SSL_get_ssl_method, ssl_write_bytes and rebuild cryptography for pyOpenSSL.) Fun times.
It says that the heartbleed.com site itself is vulnerable.
Looks like its fixed
Exactly what I was looking for, thanks! This should be part of the official heartbleed site not hidden away in comments here.
Nice work