security advisory

Maxim Dounin mdounin at mdounin.ru
Tue Jun 5 14:31:59 UTC 2012


Hello!

Vladimir Kochetkov, Positive Research Center, discovered a 
security problem in nginx/Windows, which might allow security 
restrictions bypass (CVE-2011-4963).

There are many ways to access the same file when working under 
Windows, and nginx failed to account for all of them.  As a 
result, it was possible to bypass security restrictions like

    location /directory/ {
        deny all;
    }

by requesting a file as "/directory::$index_allocation/file", or 
"/directory:$i30:$index_allocation/file", or "/directory./file". 

The problem is fixed in nginx/Windows 1.3.1, 1.2.1.

For older versions the following configuration can be used as a 
workaround:

    location ~ "(\./|:\$)" {
        deny all;
    }

Maxim Dounin



More information about the nginx mailing list