June 8, 2012

Vulnerability in Nginx Eliminated


Vladimir Kochetkov, a Positive Research expert, has detected severe vulnerability in Nginx under Windows.

When it comes to Windows platforms, there are many ways of gaining access to one and the same file, some of which were not considered by nginx developers. Nginx versions for Windows (from 0.7.52 to 1.2.0 and 1.3.0 included) proved vulnerable to bypassing security restrictions. The vulnerability enabled an attacker to redirect HTTP requests to certain URL bypassing the rules set in the location directives of the web server configuration.

Exploiting the security flaw in nginx, a potential hacker could have gained access to the source code of a web application and to closed sections of a web site or could have stolen passwords to databases and other services. The system does not consider that NTFS allows users to address folders with extended syntax attribute, while matching the requested resource URL with locations defined in web server configuration. This allows attackers to bypass access restrictions set for static resources.

Aboutnginx: it is a HTTP server and reverse proxy, as well as a mail proxy, created by Igor Sysoyev. The total number of sites that use nginx is over 70 million. 12,49% of active sites are built on it. Besides, nginx is the most popular server in the .ru zone: it is employed by over 50% of Russian resources including the most famous and highly loaded projects, such as Yandex, Rambler, Mail.Ru, and VKontakte.

For the first time, the vulnerability was described by Vladimir Kochetkov in his presentation at the PHDays forum, Moscow, 2012

8 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete