Bug 717078
Summary: | nginx: possible arbitrary code execution with null bytes in URI | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | allisson, jeremy, jlieskov, neal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-20 03:40:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 717080 | ||
Bug Blocks: |
Description
Vincent Danen
2011-06-27 22:01:39 UTC
Created nginx tracking bugs for this issue Affects: epel-4 [bug 717080] [I'm the original reporter] Just to clarify, this issue does not involve uploading files containing NULL bytes in their name. Instead, it has to do with how NULL bytes in URLs are handled by nginx. The default configuration for PHP-FCGI involves a location block that looks for requests with URLs ending in .php and passes those requests onto the PHP-FCGI handler. In vulnerable versions of nginx, an attacker can cause any file accessible on the server to be executed as PHP by making a request with a URL ending in %00.php. Behind the scenes, nginx notices the .php extension at the end of the request and passes it along to the PHP-FCGI handler. However, the %00.php suffix is ignored by PHP-FCGI due to the NULL byte, which allows the real file to be loaded and parsed. That leads to arbitrary code execution on sites where an attacker can upload a publicly accessible file to the server. Blog post about this flaw from the original reporter: https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/ This was pushed to stable back in September, should it be closed now? https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-4278/nginx-0.8.55-2.el4 It looks like this should have been closed by Bodhi but wasn't. (In reply to comment #5) > It looks like this should have been closed by Bodhi but wasn't. I can confirm, the latest available version of nginx package for Fedora EPEL 4 is nginx-0.8.55-2.el4, which contains patch for this issue. Thus this can truly should be closed. Thanks for doing that, Jeremy. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team |