Re: 回复: nginx security advisory (CVE-2013-4547)
Maxim Dounin
mdounin at mdounin.ru
Thu Nov 21 11:58:56 UTC 2013
Hello!
On Thu, Nov 21, 2013 at 05:15:58PM +0800, yzprofile wrote:
> Hi,
>
> I have a question with this POC:
>
> > location /protected/ {
> > deny all;
> > }
> >
> > location ~ \.php$ {
> > fastcgi_pass ...
> > }
>
>
> These locations own different priorities, http://nginx.org/en/docs/http/ngx_http_core_module.html#location
>
> I think every request like “/protected/hello.php” can bypass this security restriction like “location /protected {deny all;}”.
>
> Is there something wrong with this POC description or something I misunderstand? Thanks.
These are distinct examples of affected configurations.
Obviously if you have both locations in your configuration exactly as
written, access to "/protected/hello.php" is not restricted (and there is
nothing to bypass).
This is actually a common configuration mistake to write a configuration
like this and assume that access to php files under "/protected/" is
restricted. Correct solution would be to use "^~" modifier to prevent
checking of regexp locations:
location ^~ /protected/ {
deny all;
}
location ~ \.php$ { ... }
or using nested locations to isolate regexp locations:
location / {
# public
location ~ \.php$ { ... }
}
location /protected/ {
auth_basic ...
location ~ \.php$ { ... }
}
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list