thr3ads.net - nginx ru announce - [nginx-ru-announce] security advisory [Jun 2012]

If this information is useful, please help other people find it:
Share via:

Maxim Dounin

2012-Jun-05 14:32 UTC

[nginx-ru-announce] security advisory

Hello!

÷ÌÁÄÉÍÉÒ ëÏÞÅÔËÏ×, Positive Research Center, ÏÂÎÁÒÕÖÉÌ ÐÒÏÂÌÅÍÕ × 
nginx/Windows, ËÏÔÏÒÁÑ ÐÏÚ×ÏÌÑÅÔ × ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ ÏÂÈÏÄÉÔØ 
ÏÇÒÁÎÉÞÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ (CVE-2011-4963).

ðÒÉ ÒÁÂÏÔÅ ÐÏÄ Windows ÓÕÝÅÓÔ×ÕÅÔ ÍÎÏÇÏ ÓÐÏÓÏÂÏ× ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë 
ÏÄÎÏÍÕ É ÔÏÍÕ ÖÅ ÆÁÊÌÕ, É nginx ÕÞÉÔÙ×ÁÌ ÎÅ ×ÓÅ ×ÏÚÍÏÖÎÙÅ ÓÐÏÓÏÂÙ.  
÷ ÒÅÚÕÌØÔÁÔÅ ÂÙÌÏ ×ÏÚÍÏÖÎÏ ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë ÆÁÊÌÕ, ÚÁËÒÙÔÏÍÕ Ó 
ÐÏÍÏÝØÀ ÏÇÒÁÎÉÞÅÎÉÊ ÄÏÓÔÕÐÁ ×ÉÄÁ

    location /directory/ {
        deny all;
    }

ÚÁÐÒÏÓÉ× ÅÇÏ ËÁË "/directory::$index_allocation/file", ÌÉÂÏ 
"/directory:$i30:$index_allocation/file", ÌÉÂÏ
"/directory./file".

ðÒÏÂÌÅÍÁ ÉÓÐÒÁ×ÌÅÎÁ × nginx/Windows 1.3.1, 1.2.1.

ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÂÏÌÅÅ ÓÔÁÒÙÈ ×ÅÒÓÉÊ × ËÁÞÅÓÔ×Å ×ÒÅÍÅÎÎÏÇÏ 
ÒÅÛÅÎÉÑ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ ËÏÎÆÉÇÕÒÁÃÉÅÊ ×ÉÄÁ:

    location ~ "(\.|:\$)" {
        deny all;
    }

Maxim Dounin

nginx ru announce - Jun 2012 - security advisory

[nginx-ru-announce] security advisory