[security advisory] http://wiki.nginx.org/Redmine
Gena Makhomed
gmm at csdoc.com
Sun Mar 8 14:58:05 UTC 2015
Hello,
webpage http://wiki.nginx.org/Redmine has some security problems:
1. All redmine config files are available for anybody in internet,
for example: https://redmine.example.com/config/database.yml
contains in plain text login and password for database connection.
2. wiki.nginx.org use nginx/1.5.12 with known security vulnerabilities
3. Unsafe variable $http_host was used instead of safe one $host
===================================================================
Content of page http://wiki.nginx.org/Redmine for now:
[...]
This is very nearly a drop in configuration. The only thing you should
need to change will be the root location, upstream servers, and the
server name.
upstream redmine {
server 127.0.0.1:8000;
server 127.0.0.1:8001;
server 127.0.0.1:8002;
}
server {
server_name redmine.DOMAIN.TLD;
root /var/www/redmine;
location / {
try_files $uri @ruby;
}
location @ruby {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 300;
proxy_pass http://redmine;
}
}
[...]
===================================================================
--
Best regards,
Gena
More information about the nginx
mailing list