Maxim Dounin
[nginx-announce] nginx security advisory (CVE-2013-4547)
November 26, 2013 11:38AM
Hello!

Ivan Fratric of the Google Security Team discovered a bug in nginx,
which might allow an attacker to bypass security restrictions in certain
configurations by using a specially crafted request, or might have
potential other impact (CVE-2013-4547).

Some checks on a request URI were not executed on a character following
an unescaped space character (which is invalid per HTTP protocol, but
allowed for compatibility reasons since nginx 0.8.41). One of the
results is that it was possible to bypass security restrictions like

location /protected/ {
deny all;
}

by requesting a file as "/foo /../protected/file" (in case of static
files, only if there is a "foo " directory with a trailing space), or to
trigger processing of a file with a trailing space in a configuration
like

location ~ \.php$ {
fastcgi_pass ...
}

by requesting a file as "/file \0.php".

The problem affects nginx 0.8.41 - 1.5.6.

The problem is fixed in nginx 1.5.7, 1.4.4.

Patch for the problem can be found here:

http://nginx.org/download/patch.2013.space.txt

As a temporary workaround the following configuration
can be used in each server{} block:

if ($request_uri ~ " ") {
return 444;
}


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce
Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 129
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready