How does Nginx look-up cached resource?

Gena Makhomed gmm at csdoc.com
Mon Sep 7 14:44:49 UTC 2015


On 06.09.2015 4:56, Maxim Dounin wrote:

>> The security of the MD5 hash function is severely compromised.
>> A collision attack exists that can find collisions within seconds
>> on a computer with a 2.6 GHz Pentium 4 processor (complexity of 2**24.1)
>> - https://en.wikipedia.org/wiki/MD5#Security
>
> I said "took", not "takes now".  The MD5 hash function was
> introduced in 1991, and the first collision was found in 2004.
>
> Also, it's important to understand that, while collision attacks
> now exists, it doesn't really make MD5 bad for various
> non-security uses.

nginx cache is security use too.

If user configure common shared cache for all virtual servers,
and config have two servers: first, protected by access,
auth_basic or auth_request modules from unauthorized use,
and second server with publicly available content.

If attacker know proxy_cache_key, for example $scheme$host$request_uri
and know $request_uri from protected site - he can create MD5/crc32
collision by building specific $request_uri for second server,
and he will got unauthorized access to protected content
from the first, protected web site.

This is looks like vulnerability.
And this vulnerability can be fixed as Sergey Brester propose:

We should always compare the keys,
after cache entry with hash value was found.

Or vulnerability can be minimized by using secure hash
function instead of current cryptographically broken MD5.

-- 
Best regards,
  Gena



More information about the nginx-devel mailing list