[security advisory] http://wiki.nginx.org/Redmine
francis at daoine.org
Sun Mar 8 20:50:47 UTC 2015
On Sun, Mar 08, 2015 at 04:58:05PM +0200, Gena Makhomed wrote:
> webpage http://wiki.nginx.org/Redmine has some security problems:
> 1. All redmine config files are available for anybody in internet,
> for example: https://redmine.example.com/config/database.yml
> contains in plain text login and password for database connection.
I don't think that one is an nginx problem.
>From reading the redmine docs, it looks like the contents of the "root"
directive directory should be whatever is in the distributed redmine
public/ directory; not the entire installation including configuration.
And if /var/www/redmine does just have the public/ contents and the
upstream servers reveal secret information, that would be their problem
and not nginx's, I think.
> 2. wiki.nginx.org use nginx/1.5.12 with known security vulnerabilities
> 3. Unsafe variable $http_host was used instead of safe one $host
I'm not sure how $http_host is less safe than $host. It is proxy_pass'ed
to the "real" redmine server as the Host header. That server must be
able to handle it safely anyway, no?
Francis Daly francis at daoine.org
More information about the nginx