CVE-2013-4547: nginx security advisory

nginxGoogle Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request (CVE-2013-4547). This problem affects nginx from 0.8.41 to 1.5.6, and has fixed in 1.5.7, 1.4.4.

Root cause is that some checks on a request URI were not executed on a character following an unescaped space character (which is invalid per HTTP protocol, but allowed for compatibility reasons since nginx 0.8.41).  One of the results is that it was possible to bypass restrictions in these typical cases,
1, With security restriction like,

   location /protected/ {
      deny all;
   }

attackers can bypass it by requesting a file as “/foo /../protected/file”(in case of static files, only if there is a “foo ” directory with a trailing space),
2, Attackers can bypass processing of a file with a trailing space in a configuration like,

    location ~ \.php$ {
        fastcgi_pass ...
    }

by requesting a file as “/file \0.php”.

As a temporary workaround the following configuration can be used in each server{} block:

   if ($request_uri ~ " ") {
      return 444;
   }

Patch for the problem can be found here:  http://nginx.org/download/patch.2013.space.txt

Share Button

Leave a comment

Your email address will not be published. Required fields are marked *