[security advisory] http://wiki.nginx.org/Redmine

Francis Daly francis at daoine.org
Sun Mar 8 20:50:47 UTC 2015


On Sun, Mar 08, 2015 at 04:58:05PM +0200, Gena Makhomed wrote:

Hi there,

> webpage http://wiki.nginx.org/Redmine has some security problems:
> 
> 1. All redmine config files are available for anybody in internet,
> for example: https://redmine.example.com/config/database.yml
> contains in plain text login and password for database connection.

I don't think that one is an nginx problem.

>From reading the redmine docs, it looks like the contents of the "root"
directive directory should be whatever is in the distributed redmine
public/ directory; not the entire installation including configuration.

And if /var/www/redmine does just have the public/ contents and the
upstream servers reveal secret information, that would be their problem
and not nginx's, I think.

> 2. wiki.nginx.org use nginx/1.5.12 with known security vulnerabilities
> 
> 3. Unsafe variable $http_host was used instead of safe one $host

I'm not sure how $http_host is less safe than $host. It is proxy_pass'ed
to the "real" redmine server as the Host header. That server must be
able to handle it safely anyway, no?

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list