[nginx-announce] nginx security advisory (CVE-2013-4547)

Hello! Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547). Some checks on a request URI were not executed on a character following an unescaped space character (which is invalid per HTTP protocol, but allowed for compatibility reasons since nginx 0.8.41). One of the results is that it was possible to bypass security restrictions like location /protected/ { deny all; } by requesting a file as "/foo /../protected/file" (in case of static files, only if there is a "foo " directory with a trailing space), or to trigger processing of a file with a trailing space in a configuration like location ~ \.php$ { fastcgi_pass ... } by requesting a file as "/file \0.php". The problem affects nginx 0.8.41 - 1.5.6. The problem is fixed in nginx 1.5.7, 1.4.4. Patch for the problem can be found here: http://nginx.org/download/patch.2013.space.txt As a temporary workaround the following configuration can be used in each server{} block: if ($request_uri ~ " ") { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html