[security advisory] http://wiki.nginx.org/Redmine

Francis Daly francis at daoine.org
Sun Mar 8 20:50:47 UTC 2015

On Sun, Mar 08, 2015 at 04:58:05PM +0200, Gena Makhomed wrote:

Hi there,

> webpage http://wiki.nginx.org/Redmine has some security problems:
> 1. All redmine config files are available for anybody in internet,
> for example: https://redmine.example.com/config/database.yml
> contains in plain text login and password for database connection.

I don't think that one is an nginx problem.

>From reading the redmine docs, it looks like the contents of the "root"
directive directory should be whatever is in the distributed redmine
public/ directory; not the entire installation including configuration.

And if /var/www/redmine does just have the public/ contents and the
upstream servers reveal secret information, that would be their problem
and not nginx's, I think.

> 2. wiki.nginx.org use nginx/1.5.12 with known security vulnerabilities
> 3. Unsafe variable $http_host was used instead of safe one $host

I'm not sure how $http_host is less safe than $host. It is proxy_pass'ed
to the "real" redmine server as the Host header. That server must be
able to handle it safely anyway, no?

Francis Daly        francis at daoine.org

More information about the nginx mailing list