[security advisory] http://wiki.nginx.org/Redmine

Gena Makhomed gmm at csdoc.com
Sun Mar 8 14:58:05 UTC 2015


webpage http://wiki.nginx.org/Redmine has some security problems:

1. All redmine config files are available for anybody in internet,
for example: https://redmine.example.com/config/database.yml
contains in plain text login and password for database connection.

2. wiki.nginx.org use nginx/1.5.12 with known security vulnerabilities

3. Unsafe variable $http_host was used instead of safe one $host


Content of page http://wiki.nginx.org/Redmine for now:


This is very nearly a drop in configuration. The only thing you should
need to change will be the root location, upstream servers, and the
server name.

upstream redmine {

server {
         server_name redmine.DOMAIN.TLD;
         root /var/www/redmine;

         location / {
                 try_files $uri @ruby;

         location @ruby {
                 proxy_set_header  X-Real-IP  $remote_addr;
                 proxy_set_header  X-Forwarded-For
                 proxy_set_header  Host $http_host;
                 proxy_redirect off;
                 proxy_read_timeout 300;
                 proxy_pass http://redmine;



Best regards,

More information about the nginx mailing list