Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491684 (CVE-2013-4547) - <www-servers/nginx-1.4.4 : bypass security restrictions (CVE-2013-4547)
Summary: <www-servers/nginx-1.4.4 : bypass security restrictions (CVE-2013-4547)
Status: RESOLVED FIXED
Alias: CVE-2013-4547
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://mailman.nginx.org/pipermail/ng...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-19 18:37 UTC by Dirkjan Ochtman
Modified: 2013-12-15 09:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirkjan Ochtman gentoo-dev 2013-11-19 18:37:10 UTC
Some checks on a request URI were not executed on a character following
an unescaped space character (which is invalid per HTTP protocol, but
allowed for compatibility reasons since nginx 0.8.41).  One of the
results is that it was possible to bypass security restrictions like

    location /protected/ {
        deny all;
    }

by requesting a file as "/foo /../protected/file" (in case of static
files, only if there is a "foo " directory with a trailing space), or to
trigger processing of a file with a trailing space in a configuration
like

    location ~ \.php$ {
        fastcgi_pass ...
    }

by requesting a file as "/file \0.php".
Comment 1 Tiziano Müller (RETIRED) gentoo-dev 2013-11-19 21:16:38 UTC
nginx-1.4.4 and 1.5.7 are in the tree.
Please continue with stabilization of 1.4.4 since it is the stable branch.
Comment 2 Agostino Sarubbo gentoo-dev 2013-11-20 08:17:54 UTC
Arches, please test and mark stable:
=www-servers/nginx-1.4.4
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-11-20 20:22:09 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-11-20 20:22:19 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Tiziano Müller (RETIRED) gentoo-dev 2013-11-21 10:12:42 UTC
(In reply to Agostino Sarubbo from comment #4)
> x86 stable.
> 
> Maintainer(s), please cleanup.
done.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 10:15:48 UTC
CVE-2013-4547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4547):
  nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to
  bypass intended restrictions via an unescaped space character in a URI.
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-12 14:38:48 UTC
GLSA vote: no.
Comment 8 Sergey Popov gentoo-dev 2013-12-15 09:57:28 UTC
GLSA vote: no

Closing as noglsa