security advisory
Maxim Dounin
mdounin at mdounin.ru
Tue Jun 5 14:31:59 UTC 2012
Hello!
Vladimir Kochetkov, Positive Research Center, discovered a
security problem in nginx/Windows, which might allow security
restrictions bypass (CVE-2011-4963).
There are many ways to access the same file when working under
Windows, and nginx failed to account for all of them. As a
result, it was possible to bypass security restrictions like
location /directory/ {
deny all;
}
by requesting a file as "/directory::$index_allocation/file", or
"/directory:$i30:$index_allocation/file", or "/directory./file".
The problem is fixed in nginx/Windows 1.3.1, 1.2.1.
For older versions the following configuration can be used as a
workaround:
location ~ "(\./|:\$)" {
deny all;
}
Maxim Dounin
More information about the nginx
mailing list