Re: 回复: nginx security advisory (CVE-2013-4547)

Maxim Dounin mdounin at mdounin.ru
Thu Nov 21 11:58:56 UTC 2013


Hello!

On Thu, Nov 21, 2013 at 05:15:58PM +0800, yzprofile wrote:

> Hi,  
> 
> I have a question with this POC:
> 
> > location /protected/ {
> > deny all;
> > }
> >  
> > location ~ \.php$ {
> > fastcgi_pass ...
> > }
> 
> 
> These locations own different priorities, http://nginx.org/en/docs/http/ngx_http_core_module.html#location
> 
> I think every request like “/protected/hello.php” can bypass this security restriction like “location /protected {deny all;}”.
> 
> Is there something wrong with this POC description or something I misunderstand? Thanks.

These are distinct examples of affected configurations.

Obviously if you have both locations in your configuration exactly as 
written, access to "/protected/hello.php" is not restricted (and there is 
nothing to bypass).

This is actually a common configuration mistake to write a configuration 
like this and assume that access to php files under "/protected/" is 
restricted.  Correct solution would be to use "^~" modifier to prevent 
checking of regexp locations:

    location ^~ /protected/ {
        deny all;
    }

    location ~ \.php$ { ... }

or using nested locations to isolate regexp locations:

    location / {
        # public
        location ~ \.php$ { ... }
    }

    location /protected/ {
        auth_basic ...
        location ~ \.php$ { ... }
    }

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list