Join the community today
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2013-4547)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 7, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    29,054
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    6:55 PM
    Nginx 1.13.x
    MariaDB 5.5
    Hello!

    Ivan Fratric of the Google Security Team discovered a bug in nginx,
    which might allow an attacker to bypass security restrictions in certain
    configurations by using a specially crafted request, or might have
    potential other impact (CVE-2013-4547).

    Some checks on a request URI were not executed on a character following
    an unescaped space character (which is invalid per HTTP protocol, but
    allowed for compatibility reasons since nginx 0.8.41). One of the
    results is that it was possible to bypass security restrictions like

    location /protected/ {
    deny all;
    }

    by requesting a file as "/foo /../protected/file" (in case of static
    files, only if there is a "foo " directory with a trailing space), or to
    trigger processing of a file with a trailing space in a configuration
    like

    location ~ \.php$ {
    fastcgi_pass ...
    }

    by requesting a file as "/file \0.php".

    The problem affects nginx 0.8.41 - 1.5.6.

    The problem is fixed in nginx 1.5.7, 1.4.4.

    Patch for the problem can be found here:

    http://nginx.org/download/patch.2013.space.txt

    As a temporary workaround the following configuration
    can be used in each server{} block:

    if ($request_uri ~ " ") {
    return 444;
    }


    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...