[security advisory] http://wiki.nginx.org/Redmine

Gena Makhomed gmm at csdoc.com
Mon Mar 9 18:24:43 UTC 2015

On 09.03.2015 19:25, Francis Daly wrote:

>>> From reading the redmine docs, it looks like the contents of the "root"
>>> directive directory should be whatever is in the distributed redmine
>>> public/ directory; not the entire installation including configuration.
>> I am talk about configuration recommended
>> at webpage http://wiki.nginx.org/Redmine
>> not about "reading the redmine docs".
> But the user must have followed some documentation to install redmine in
> the first place; and if they unthinkingly install it into /var/www/redmine
> they are probably doing something wrong before nginx gets involved.

redmine documentation:
don't forbid users to install redmine into /var/www/redmine

even more, redmine documentation:
RECOMMENDS to install redmine into /var/www/redmine
see: "Configure /var/www/redmine/config/database.yml"

see: "Configure /var/www/redmine/config/database.yml"

also, FHS http://www.pathname.com/fhs/pub/fhs-2.3.html
don't say what /var/www/.... must contain only "static" files.

> I see instructions to install to /opt/redmine, and to /var/lib/redmine,
> and to /usr/share/redmine, and in each case they say to do something like
>    ln -s /usr/share/redmine/public /var/www/redmine
> to have only the web-accessible content below /var/www/redmine.

I don't see such instructions at the http://wiki.nginx.org/Redmine

> If the user really wants to install to /var/www/redmine, then they must
> modify the "root" directive (to be /var/www/redmine/public), as the
> words on the wiki page already say.

I modify root directive,
but change /var/www/redmine to /home/www/redmine
and all works fine, but with vulnerability.

User must guess than they must change from "root /var/www/redmine;"
to "root /var/www/redmine/public;" to fix this unobvious vulnerability?

> I do not see this as an nginx-related security problem.

As I already say, this is not nginx-related security problem,
it was by default vulnerable configuration as wiki recommendation.

>>> And if /var/www/redmine does just have the public/ contents and the
>>> upstream servers reveal secret information, that would be their problem
>>> and not nginx's, I think.
>>     root /var/www/redmine;
>>     try_files $uri @ruby;
>> Request https://redmine.example.com/config/database.yml will be
>> processed by nginx, because file /var/www/redmine/config/database.yml
>> exists. For details - see manual about try_files directive in nginx.
> The file /var/www/redmine/config/database.yml should not exist.

it MUST exists, because redmine install
instructions suppose that such file exists:
"Configure /var/www/redmine/config/database.yml"

> If the file /var/www/redmine/config/database.yml does exist and the
> above nginx configuration is used, then the user will find that no part
> of their redmine web-related installation will work, because all of the
> images and stylesheets and javascripts are inaccessible.

No, if nginx frontend can't process such non-existend files,
it just silently proxy request to backend and backend process
such request without any problems.

So, this security vulnerability will be *invisible* for users.

Try it youself, if you don't believe me.

> Correspondingly, if the user has installed only web content below
> /var/www, then using a different "root" directive will cause that
> installation not to work.

redmine documentation at redmine site recomments install
entire redmine into /var/www/redmine directory, not only public content.

Best regards,

More information about the nginx mailing list