ID
VAR-201005-0437
TITLE
Nginx file type error parsing vulnerability
Trust: 0.6
DESCRIPTION
Nginx is a high-performance web server that is widely used. It is not only often used as a reverse proxy, but also very well supported for PHP. 80sec found that there is a more serious security problem. By default, any type of file may be parsed in PHP by server error. The attacker can execute arbitrary PHP code with WEB permission. Nginx supports php running by default in cgi mode, such as location ~ \\.php$ {root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;include fastcgi_params; The } method supports the parsing of php. When the location selects the request, it uses the URI environment variable to select. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by the $fastcgi_script_name generated by nginx, and the analysis can be seen by $fastcgi_script_name It is directly controlled by the URI environment variable, here is the point where the problem occurs. In order to better support the extraction of PATH_INFO, the cgi.fix_pathinfo option exists in the PHP configuration options, the purpose is to extract the real script name from SCRIPT_FILENAME. So suppose there is a http://www.80sec.com/80sec.jpg, you can visit http://www.80sec.com/80sec.jpg/80sec.php in the following way. nginx is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. The issue affects nginx 0.6.36 and prior
Trust: 0.81
IOT TAXONOMY
category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
vendor: | nginx | model: | nginx | scope: | - | version: | - | Trust: 0.6 |
vendor: | igor | model: | sysoev nginx | scope: | eq | version: | 0.6.36 | Trust: 0.3 |
vendor: | igor | model: | sysoev nginx | scope: | eq | version: | 0.6.32 | Trust: 0.3 |
vendor: | igor | model: | sysoev nginx | scope: | eq | version: | 0.6 | Trust: 0.3 |
THREAT TYPE
network
Trust: 0.3
TYPE
Input Validation Error
Trust: 0.3
EXTERNAL IDS
db: | BID | id: | 40420 | Trust: 0.9 |
db: | CNVD | id: | CNVD-2010-0917 | Trust: 0.6 |
REFERENCES
url: | http://www.80sec.com/nginx-securit.html | Trust: 0.6 |
url: | http://nginx.org/ | Trust: 0.3 |
CREDITS
cp77fk4r
Trust: 0.3
SOURCES
db: | CNVD | id: | CNVD-2010-0917 |
db: | BID | id: | 40420 |
LAST UPDATE DATE
2022-05-17T01:41:43.694000+00:00
SOURCES UPDATE DATE
db: | CNVD | id: | CNVD-2010-0917 | date: | 2010-05-20T00:00:00 |
db: | BID | id: | 40420 | date: | 2010-05-28T16:30:00 |
SOURCES RELEASE DATE
db: | CNVD | id: | CNVD-2010-0917 | date: | 2010-05-20T00:00:00 |
db: | BID | id: | 40420 | date: | 2010-05-20T00:00:00 |