Maxim Dounin
2013-Nov-19 15:02 UTC
[nginx-ru-announce] nginx security advisory (CVE-2013-4547)
Hello!
Ivan Fratric ÉÚ Google Security Team ÏÂÎÁÒÕÖÉÌ ÏÛÉÂËÕ × nginx, ËÏÔÏÒÁÑ
ÐÏÚ×ÏÌÑÅÔ × ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ ÏÂÈÏÄÉÔØ ÏÇÒÁÎÉÞÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ Ó
ÐÏÍÏÝØÀ ÓÐÅÃÉÁÌØÎÏÇÏ ÚÁÐÒÏÓÁ, Á ÔÁËÖÅ ÍÏÖÅÔ ÉÍÅÔØ ÄÒÕÇÉÅ ÐÏÓÌÅÄÓÔ×ÉÑ
(CVE-2013-4547).
îÅËÏÔÏÒÙÅ ÐÒÏ×ÅÒËÉ URI ÚÁÐÒÏÓÁ ÎÅ ÄÅÌÁÌÉÓØ ÎÁÄ ÓÉÍ×ÏÌÏÍ, ÓÌÅÄÕÀÝÉÍ ÚÁ
ÎÅÚÁËÏÄÉÒÏ×ÁÎÎÙÍ ÓÉÍ×ÏÌÏÍ ÐÒÏÂÅÌÁ (ÎÅÚÁËÏÄÉÒÏ×ÁÎÎÙÊ ÐÒÏÂÅÌ ÎÅÄÏÐÕÓÔÉÍ ×
ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÐÒÏÔÏËÏÌÏÍ HTTP, ÏÄÎÁËÏ ÐÏÄÄÅÒÖÉ×ÁÅÔÓÑ ÎÁÞÉÎÁÑ Ó nginx
0.8.41 ÉÚ ÓÏÏÂÒÁÖÅÎÉÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ). ïÄÎÉÍ ÉÚ ÒÅÚÕÌØÔÁÔÏ× ÏÛÉÂËÉ ÂÙÌÁ
×ÏÚÍÏÖÎÏÓÔØ ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë ÆÁÊÌÕ, ÚÁËÒÙÔÏÍÕ Ó ÐÏÍÏÝØÀ ÏÇÒÁÎÉÞÅÎÉÊ
ÄÏÓÔÕÐÁ ×ÉÄÁ
location /protected/ {
deny all;
}
ÚÁÐÒÏÓÉ× ÅÇÏ ËÁË "/foo /../protected/file" (× ÓÌÕÞÁÅ ÓÔÁÔÉÞÅÓËÉÈ
ÆÁÊÌÏ× -
ÔÏÌØËÏ ÅÓÌÉ ÓÕÝÅÓÔ×ÕÅÔ ËÁÔÁÌÏÇ "foo ", Ó ÐÒÏÂÅÌÏÍ ÎÁ ËÏÎÃÅ), Á ÔÁËÖÅ
×ÏÚÍÏÖÎÏÓÔØ ×ÙÚÙ×ÁÔØ ÓÐÅÃÉÁÌØÎÕÀ ÏÂÒÁÂÏÔËÕ ÆÁÊÌÁ Ó ÐÒÏÂÅÌÏÍ ÎÁ ËÏÎÃÅ ×
ËÏÎÆÉÇÕÒÁÃÉÉ ×ÉÄÁ
location ~ \.php$ {
fastcgi_pass ...
}
ÚÁÐÒÏÓÉ× ÆÁÊÌ ËÁË "/file \0.php".
ðÒÏÂÌÅÍÅ ÐÏÄ×ÅÒÖÅÎÙ ×ÅÒÓÉÉ nginx 0.8.41 - 1.5.6.
ðÒÏÂÌÅÍÁ ÉÓÐÒÁ×ÌÅÎÁ × nginx 1.5.7, 1.4.4.
ðÁÔÞ, ÉÓÐÒÁ×ÌÑÀÝÉÊ ÐÒÏÂÌÅÍÕ, ÄÏÓÔÕÐÅÎ ÔÕÔ:
http://nginx.org/download/patch.2013.space.txt
÷ ËÁÞÅÓÔ×Å ×ÒÅÍÅÎÎÏÊ ÚÁÝÉÔÙ ÍÏÖÎÏ × ËÁÖÄÏÍ ÂÌÏËÅ server{}
×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ ËÏÎÆÉÇÕÒÁÃÉÅÊ ×ÉÄÁ:
if ($request_uri ~ " ") {
return 444;
}
--
Maxim Dounin
http://nginx.org/en/donation.html